CVE-2018-18190

Vulnerability

A divide-by-zero error exists in GPMF_ScaledData function in GPMF_parser.c (line 1025) in GoPro gpmf-parser before version 1.2.1 [1]. The bug occurs when GPMF_SizeofType(type) returns 0 for an unrecognized type, and the result is used as a divisor in sample_size / inputtypesize without a zero-value check [1].

Exploitation

An attacker can trigger the crash by supplying a crafted GPMF sample that contains a type not in GPMF_SampleType, causing GPMF_SizeofType to return 0 [1]. The proof-of-concept payload is provided as a base64-encoded string; the crash is reproduced via the fuzzer harness and confirmed by UndefinedBehaviorSanitizer with a fatal floating-point exception (FPE) [1]. No authentication or special privileges are required beyond the ability to deliver the malformed input to the parser [1].

Impact

Successful exploitation causes a denial of service (DoS) due to the divide-by-zero operation, halting the parsing process [1]. The impact is limited to availability; there is no indication of code execution or privilege escalation [1].

Mitigation

The issue is fixed in gpmf-parser version 1.2.1, released on 2018-10-09 [2]. Users should update to the patched version. A workaround patch is also provided in the reference [1] that adds a check for inputtypesize == 0 and returns an error instead of performing the division [1].