CVE-2019-15148

Vulnerability

The vulnerability is an out-of-bounds write in the OpenMP4Source function within demo/GPMF_mp4reader.c of GoPro GPMF-parser version 1.2.2 [1][2]. The bug is triggered during parsing of specially crafted MP4 files, where the code writes beyond the allocated buffer boundary. The affected version is 1.2.2; the fix was introduced in commit 341f12c on the master branch [1].

Exploitation

An attacker can exploit this by providing a maliciously crafted MP4 file to the GPMF-parser. The attacker does not require any special network position or authentication—the vulnerability can be triggered by simply parsing the file locally [2]. The issue was discovered via fuzzing with AddressSanitizer, indicating that crafted inputs can reliably cause memory corruption [2].

Impact

Successful exploitation leads to an out-of-bounds write, which can cause a crash or potentially allow arbitrary code execution in the context of the parser process [1][2]. The CIA impact is primarily integrity (memory corruption) and availability (crash), with potential for confidentiality loss if code execution is achieved.

Mitigation

The fix is available in commit 341f12c in the GoPro GPMF-parser repository [1]. Users should update to a version including this commit or later. No workarounds are documented; parsing untrusted MP4 files with the vulnerable version should be avoided.