CVE-2018-13009

Vulnerability

A heap-based buffer over-read vulnerability exists in the GPMF_Next function of GPMF_parser.c in gpmf-parser version 1.1.2. The over-read occurs when the function accesses ms->buffer[ms->pos] at lines 260, 266, and 277, where an incorrect check for GPMF_KEY_END and nest_level (conditional on a buffer_size_longs check) can lead to reading beyond the allocated buffer boundary. The affected versions are gpmf-parser 1.1.2 [1].

Exploitation

An attacker needs to supply a crafted GPMF (GoPro Metadata Format) payload that triggers the vulnerable code path. The issue can be reached via the GPMD_demo.c program when processing a malicious file. No special privileges are required, as the parser is likely used on arbitrary input. The GPMF_Next function is called from GPMF_FindNext, and the condition leading to the over-read involves insufficient bounds checking on the buffer size [1].

Impact

Successful exploitation results in a heap-based buffer over-read. This can lead to information disclosure (reading adjacent heap memory) or a denial of service (crash) depending on the context of the read. The AddressSanitizer report confirms a read of size 4 at an address just after the allocated buffer [1].

Mitigation

As of the reference [1] (the GitHub issue), the fix involves modifying the while loop condition in GPMF_Next to while ( ms->nest_size[ms->nest_level] > 0 && ms->buffer[ms->pos] == GPMF_KEY_END). Users should update to a version containing this fix. If no official patched release is available, users must manually apply the change or avoid processing untrusted GPMF data.