CVE-2018-13026

Vulnerability

The GPMF-parser library version 1.1.2 contains a heap-based buffer over-read vulnerability in the function GPMF_Type located in GPMF_parser.c at line 528. The issue occurs when processing specially crafted GPMF data, where a read of size 4 bytes is attempted from a heap buffer region that is exactly 4 bytes in size, but the read accesses the byte immediately after the allocated buffer (offset 0 bytes to the right). This over-read can be triggered when parsing malformed or malicious GPMF payloads that cause the library to calculate an incorrect size or offset [1].

Exploitation

An attacker can trigger this vulnerability by providing a crafted GPMF sample data file to an application that uses the gpmf-parser library (such as the provided demo GPMF_demo.c). The attacker does not need authentication or special privileges; the attack vector is local or remote if the application accepts user-supplied GPMF data. The heap-buffer over-read is triggered during the GPMF_Type call initiated from PrintGPMF in GPMF_print.c:394, which is invoked by the main demo program [1].

Impact

Successful exploitation results in an out-of-bounds read from the heap, potentially leaking sensitive memory contents or causing the application to crash due to the read of invalid memory. The impact depends on the context of the affected application; information disclosure or denial of service are the most likely outcomes [1].

Mitigation

As of the available references, no fixed version has been released. The issue was reported to the vendor via the GitHub issue tracker on 2018-06-30 [1]. Users should monitor the gpmf-parser repository for a patched release or consider implementing input validation and bounds checking as a workaround. The product is not listed as EOL nor in CISA KEV [1].