CVE-2019-15147

Vulnerability

The vulnerability exists in GoPro's GPMF-parser library version 1.2.2. In GPMF_Next() within GPMF_parser.c, an out-of-bounds read occurs when processing specially crafted MP4 files. The issue is triggered by malformed GPMF metadata structures that cause the parser to read beyond allocated memory boundaries. The affected versions are 1.2.2 and earlier, as fixed in commit 341f12c [1].

Exploitation

An attacker can exploit this vulnerability by providing a malicious MP4 file containing crafted GPMF data. No special network position or authentication is required; the attack is triggered when the victim opens the file using the gpmf-parser utility or any application that uses the library for parsing. The proof-of-concept files were discovered via fuzzing [2]. The out-of-bounds read occurs during the parsing process, leading to a segmentation fault.

Impact

Successful exploitation results in a segmentation fault (SEGV), causing a denial of service (DoS). The crash is due to the out-of-bounds read, which may also have potential for information disclosure, though the primary impact demonstrated is instability and crash. No code execution has been demonstrated in the available references.

Mitigation

The vulnerability is fixed in commit 341f12c [1] and is included in versions after 1.2.2. Users should update to the latest version of GPMF-parser. There is no known workaround other than avoiding parsing untrusted MP4 files with the vulnerable library. The CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog.