CVE-2018-13007

Vulnerability

In gpmf-parser version 1.1.2, the function GPMF_Next in GPMF_parser.c contains a heap-based buffer over-read vulnerability. The issue occurs because the code checks for GPMF_KEY_END and nest_level without first verifying that the buffer position is within bounds using a buffer_size_longs check. This allows reading beyond the allocated heap buffer when processing specially crafted GPMF data. The affected function is called during parsing of GPMF metadata, such as from GoPro video files.

Exploitation

An attacker can exploit this vulnerability by providing a malicious GPMF stream (e.g., embedded in a video file) to an application using the gpmf-parser library. No authentication is required; the attacker only needs to supply the crafted data. The parsing process triggers the over-read when GPMF_Next attempts to read a key type at an out-of-bounds position. The ASAN report confirms a read of size 4 at an address 0 bytes to the right of a 4568-byte region [1].

Impact

Successful exploitation leads to a heap-buffer over-read, which can cause a denial of service (crash) as demonstrated by the AddressSanitizer report. In some cases, it may also lead to information disclosure if the over-read reveals sensitive heap data. The vulnerability does not provide code execution directly, but could be leveraged in combination with other bugs.

Mitigation

The issue was reported in the upstream repository [1]. As of the publication date (2018-06-29), no official patch had been released. Users should update to a fixed version if available, or avoid processing untrusted GPMF data. The project may have since addressed the issue; consult the repository for the latest status.