CVE-2021-40589
Description
ZAngband zangband-data 2.7.5 has an integer underflow in src/tk/plat.c during bitmap file loading, potentially leading to memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ZAngband zangband-data 2.7.5 has an integer underflow in src/tk/plat.c during bitmap file loading, potentially leading to memory corruption.
Vulnerability
In ZAngband zangband-data version 2.7.5, the file src/tk/plat.c contains an integer underflow vulnerability when parsing a bitmap file's header. The variable fileheader.bfOffBits is read from the file without proper validation, allowing it to cause an underflow in the calculation of ncol, which is then used as a size argument for a memory allocation call [1].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted bitmap file to the user. The user must load this file into the game, for example by selecting it as a custom tileset or via a scenario that triggers bitmap loading. The crafted file contains a manipulated bfOffBits field that, when processed, leads to an integer underflow in the code that computes ncol, resulting in a large or negative value being passed to a memory allocation function [1].
Impact
Successful exploitation could lead to memory corruption, potentially allowing an attacker to crash the application or execute arbitrary code with the privileges of the user running ZAngband. The exact impact depends on how the memory allocation failure is handled, but it may be exploitable for code execution [1].
Mitigation
As of the latest reference, no official patch has been released for this vulnerability. Users are advised to exercise caution when loading bitmap files from untrusted sources. The vendor has not indicated a fixed version or provided a workaround. The project may be unmaintained, so upgrading to a patched version may not be possible [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ZAngband/zangband-datadescription
- Range: =2.7.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Integer underflow in src/tk/plat.c when computing ncol from the tainted fileheader.bfOffBits field without validation."
Attack vector
An attacker supplies a crafted BMP file whose `bfOffBits` field is set to a value smaller than 54. The subtraction `bfOffBits - 54` then wraps around to a very large positive integer due to unsigned integer underflow, producing an enormous `ncol`. This oversized value is passed to the memory allocation, likely causing a crash or exploitable heap corruption [ref_id=1]. No authentication or special privileges are required; the attacker only needs to trick the application into loading the malicious BMP file.
Affected code
The bug resides in `src/tk/plat.c` where the `fileheader.bfOffBits` field is read from a BMP file without validation. This tainted value is used in the computation `ncol = (fileheader.bfOffBits - 54) / 4`, and `ncol` is subsequently passed to the memory allocation macro `C_MAKE(pal, ncol * 3, byte)` [ref_id=1].
What the fix does
The advisory does not include a patch. To fix the vulnerability, the code must validate that `fileheader.bfOffBits` is at least 54 before computing `ncol`. If `bfOffBits` is less than 54, the subtraction would underflow; the file should be rejected as malformed. Additionally, the resulting `ncol` value should be checked against a reasonable upper bound before being used in memory allocation to prevent excessive allocation.
Preconditions
- inputThe application must load a BMP file from an attacker-controlled source.
- inputThe BMP file must have a bfOffBits field value less than 54.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- sourceforge.net/p/zangband/bugs/671/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.