CVE-2018-18699

Vulnerability

In GoPro gpmf-parser version 1.2.1, the function OpenMP4Source in GPMF_mp4reader.c at line 342 performs an out-of-bounds write when processing malformed MP4 data. The issue arises because the code does not validate the size or offset of data read from the MP4 container before writing to a buffer. A crafted MP4 file can trigger a write of size 4 to an invalid memory address, as demonstrated by a Valgrind or address sanitizer analysis [1].

Exploitation

An attacker needs to supply a specially crafted MP4 file to the vulnerable parser. The attacker can achieve this by tricking a user or automated system into processing the file using the gpmfdemo tool or any application that relies on the gpmf-parser library. No authentication or network access is required beyond file delivery. The process crashes with a SIGSEGV after the invalid write access [1].

Impact

Successful exploitation causes a segmentation fault, leading to a denial of service (DoS). Because the out-of-bounds write may corrupt heap metadata or other memory regions, it could potentially be leveraged for arbitrary write or code execution, though the provided reference only confirms a crash [1]. The severity is high due to the memory corruption primitives available.

Mitigation

GoPro has not released an official fix for this CVE as of the publication date; the latest version 1.2.1 remains vulnerable. Users should limit exposure by not processing untrusted MP4 files with gpmf-parser until a patch is provided. The issue is tracked in the gpmf-parser GitHub repository [1]. No known workarounds exist.