CVE-2018-13008

Vulnerability

A heap-based buffer over-read exists in gpmf-parser version 1.1.2, in the function GPMF_Next within GPMF_parser.c (lines 260, 266, 277). The issue arises because the code fails to properly validate a positive nest_level before accessing memory, allowing reads beyond the allocated buffer. The advisory [1] confirms the bug occurs when ms->nest_size[ms->nest_level] is checked against an incomplete boundary condition.

Exploitation

An attacker can trigger this vulnerability by providing a crafted GPMF (GoPro Metadata Format) payload to the parser. No authentication or special privileges are required; the attack is accomplished by inducing the demo program or any application using the library to process the malicious input. The heap buffer over-read occurs during the GPMF_Next call, as shown in the AddressSanitizer stack trace [1], which reads 4 bytes beyond the heap region.

Impact

Successful exploitation leads to a heap-based buffer over-read, potentially leaking sensitive memory contents or causing a denial of service via application crash. The READ operation occurs out of bounds, as noted in the ASAN report [1]: "READ of size 4 at ... 0 bytes to the right of 4568-byte region." No remote code execution is reported in the reference, but information disclosure is possible.

Mitigation

The fix proposed in the advisory [1] is to modify the condition in GPMF_Next to properly check the nest level before access: while ( ms->nest_size[ms->nest_level] > 0 && ms->buffer[ms->pos] == GPMF_KEY_END). Upstream has not released a patched version as of the disclosure date (June 2018) [1]; users should apply the patch manually or avoid processing untrusted GPMF data until an official update is issued.