CVE-2021-32435
Description
Stack-based buffer overflow in abcm2ps v8.14.11 via crafted ABC file causes denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in abcm2ps v8.14.11 via crafted ABC file causes denial of service.
Vulnerability
A stack-based buffer overflow exists in the get_key() function within parse.c of abcm2ps version 8.14.11. The root cause lies in set_k_acc(), where the arrays accs and pits are declared with a fixed size of 8, but the loop iterates nacc up to s->u.key.sf without bounds checking. If s->u.key.sf exceeds 7, out-of-bounds writes corrupt the stack. This can be triggered by processing a specially crafted ABC file [1].
Exploitation
An attacker can exploit this by crafting a malicious ABC file containing a key signature (K:) directive that sets the sf field to a value greater than 7. When abcm2ps processes this file using the -E option or similar, the vulnerable code path in set_k_acc() is reached, causing a stack buffer overflow. No authentication or special network position is required; the victim only needs to open the malicious file with the affected abcm2ps version [1].
Impact
Successful exploitation causes a denial of service (DoS) via program crash. The overflow corrupts the stack, including the stack canary, leading to __stack_chk_fail and termination. The extent of further impact (e.g., code execution) is not described in the available references, but the buffer overflow can corrupt adjacent memory [1].
Mitigation
The vulnerability was fixed in commit 3169ace [2], which adds a bounds check before writing to the arrays. Users should upgrade to a version containing this fix or apply the patch. There are no known workarounds for unpatched versions. Red Hat package announcements referenced [3][4] may indicate upcoming or released packages, but they are not accessible without bypassing a bot challenge.
- stack buffer overflow in function get_key() in parse.c
- fix: crash when accidental without a note at start of line after K: · lewdlime/abcm2ps@3169ace
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6333SXWMES3K22DBAOAW34G6EU6WIJEY/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVGJH4HMXI3TWMHQJQCG3M7KSXJWJM7R/
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- abcm2ps/abcm2psdescription
- osv-coords3 versionspkg:rpm/opensuse/abcm2ps&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/abcm2ps&distro=openSUSE%20Tumbleweedpkg:rpm/suse/abcm2ps&distro=SUSE%20Package%20Hub%2015%20SP3
< 8.14.13-bp153.2.3.1+ 2 more
- (no CPE)range: < 8.14.13-bp153.2.3.1
- (no CPE)range: < 8.14.13-2.1
- (no CPE)range: < 8.14.13-bp153.2.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing null/length checks on parsed note symbols when an accidental appears without a note at the start of a line after a K: key signature."
Attack vector
An attacker can craft a malicious ABC music notation file containing an accidental symbol (e.g., `^`, `_`, or `=`) without a following note at the beginning of a line after a `K:` key change. When abcm2ps parses this malformed input, the `parse_line` function accesses `parse.last_sym->u.note.slur_st` and `curvoice->last_note` without checking whether the symbol is valid, causing a stack-based buffer overflow or null-pointer dereference that results in a denial of service.
Affected code
The vulnerability is in `parse.c` within the `parse_line` and `parse_note` functions of abcm2ps v8.14.11. The crash occurs when an accidental appears without a note at the start of a line after a `K:` key signature command, leading to a null or invalid pointer dereference in the `slur` handling logic.
What the fix does
The patch adds guards in `parse_line` (lines 2043-2046 and 2081-2084) to only set `slur_st` and clear `slur` when `slur` is non-zero and the parsed note has a positive length (`notes[0].len > 0`). Additionally, the assignment `curvoice->last_note = parse.last_sym` is moved into `parse_note` (line 2515-2516) and guarded by the same length check, ensuring that an accidental without a following note does not leave stale or invalid pointers.
Preconditions
- inputThe attacker must supply a crafted ABC file that includes an accidental symbol without a note at the start of a line after a K: key signature command.
- inputThe victim must open or process the malicious ABC file with abcm2ps v8.14.11.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6333SXWMES3K22DBAOAW34G6EU6WIJEY/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVGJH4HMXI3TWMHQJQCG3M7KSXJWJM7R/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTF4FXCW22FFB5HNQO3GK3F4FFBLTZKE/mitrevendor-advisoryx_refsource_FEDORA
- github.com/leesavide/abcm2ps/commit/3169ace6d63f6f517a64e8df0298f44a490c4a15mitrex_refsource_MISC
- github.com/leesavide/abcm2ps/issues/84mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2022/04/msg00015.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.