CVE-2021-32434

Vulnerability

The vulnerability is an out-of-bounds read in calculate_beam() in draw.c of abcm2ps version 8.14.11 [1]. The function accesses the two-dimensional array min_tb using (unsigned) s->nflags as an index without first verifying that s->nflags is within the valid range (0–5). When the input is crafted so that s->nflags holds a value such as 0xfffffffe, the computed index is out of bounds, causing a read beyond the allocated memory for the array [1].

Exploitation

To trigger the vulnerability, an attacker must supply to abcm2ps a specially crafted ABC music file that produces a value of s->nflags outside the intended range when the calculate_beam() function is called during rendering [1]. The exploit requires no special privileges; the attacker only needs to convince a user to process the malformed file with the affected version of abcm2ps. The reproduction steps provided in the reference show that when s->nflags is 0xfffffffe, the access min_tb[0][(unsigned) s->nflags] attempts to read an invalid memory address, causing the program to crash [1].

Impact

Successful exploitation results in a denial of service (DoS) due to a segmentation fault or crash of abcm2ps [1]. The out-of-bounds read may also expose snippets of sensitive memory, but the primary reported impact is a crash. The vulnerability does not appear to allow code execution or privilege escalation based on the available information.

Mitigation

As of the available references, no official patch for abcm2ps version 8.14.11 has been provided [1]. The repository has been archived and is now read-only, indicating that the software is no longer actively maintained [1]. Users should consider discontinuing use of the affected version or applying a manual fix by adding a bounds check on s->nflags before indexing min_tb. No CISA KEV listing or other workaround has been published.