Memory access violation in draw.c:352

[invictus1306]

Hi,

I'm hitting this bug in the latest version of abcm2ps (abcm2ps-8.13.21 (2018-05-05))

valgrind ./abcm2ps report2.abc 
==17297== Memcheck, a memory error detector
==17297== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==17297== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==17297== Command: ./abcm2ps report2.abc
==17297== 
abcm2ps-8.13.21 (2018-05-05)
File report2.abc
report2.abc:127:20: error: Invalid note duration
report2.abc:127:20: error: Note too much dotted
report2.abc:127:20: error: Invalid note duration
report2.abc:127:20: error: Note too much dotted
==17297== Invalid read of size 4
==17297==    at 0x4123B0: calculate_beam (draw.c:352)
==17297==    by 0x418F3C: draw_sym_near (draw.c:4097)
==17297==    by 0x4295CB: delayed_output (music.c:5085)
==17297==    by 0x4295CB: output_music (music.c:5140)
==17297==    by 0x42E1F0: generate (parse.c:1039)
==17297==    by 0x42E877: gen_ly (parse.c:1060)
==17297==    by 0x43433F: do_tune (parse.c:3621)
==17297==    by 0x405488: abc_eof (abcparse.c:200)
==17297==    by 0x41FA44: frontend (front.c:905)
==17297==    by 0x403FAC: treat_file (abcm2ps.c:239)
==17297==    by 0x4030E7: main (abcm2ps.c:1040)
==17297==  Address 0x400447dbc is not stack'd, malloc'd or (recently) free'd
==17297== 
==17297== 
==17297== Process terminating with default action of signal 11 (SIGSEGV)
==17297==  Access not within mapped region at address 0x400447DBC
==17297==    at 0x4123B0: calculate_beam (draw.c:352)
==17297==    by 0x418F3C: draw_sym_near (draw.c:4097)
==17297==    by 0x4295CB: delayed_output (music.c:5085)
==17297==    by 0x4295CB: output_music (music.c:5140)
==17297==    by 0x42E1F0: generate (parse.c:1039)
==17297==    by 0x42E877: gen_ly (parse.c:1060)
==17297==    by 0x43433F: do_tune (parse.c:3621)
==17297==    by 0x405488: abc_eof (abcparse.c:200)
==17297==    by 0x41FA44: frontend (front.c:905)
==17297==    by 0x403FAC: treat_file (abcm2ps.c:239)
==17297==    by 0x4030E7: main (abcm2ps.c:1040)
==17297==  If you believe this happened as a result of a stack
==17297==  overflow in your program's main thread (unlikely but
==17297==  possible), you can try to increase the size of the
==17297==  main thread stack using the --main-stacksize= flag.
==17297==  The main thread stack size used in this run was 8388608.
==17297== 
==17297== HEAP SUMMARY:
==17297==     in use at exit: 957,953 bytes in 120 blocks
==17297==   total heap usage: 153 allocs, 33 frees, 2,220,269 bytes allocated
==17297== 
==17297== LEAK SUMMARY:
==17297==    definitely lost: 0 bytes in 0 blocks
==17297==    indirectly lost: 0 bytes in 0 blocks
==17297==      possibly lost: 0 bytes in 0 blocks
==17297==    still reachable: 957,953 bytes in 120 blocks
==17297==         suppressed: 0 bytes in 0 blocks
==17297== Rerun with --leak-check=full to see details of leaked memory
==17297== 
==17297== For counts of detected and suppressed errors, rerun with: -v
==17297== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

It is a read access violation (calculate_beam report2.zip

(draw.c:352))

stem_err = min_tb[0][(unsigned) s->nflags];

gef➤  p s->nflags
$1 = 0xff

gef➤  p min_tb[0][(unsigned) s->nflags]

Cannot access memory at address 0x400447dbc

The value ofs->nflags could be controlled by an attacker but I did not do a thorough analysis.