CVE-2019-20086

Vulnerability

GoPro GPMF-parser version 1.2.3 contains a heap-based buffer over-read in the GPMF_Next function in GPMF_parser.c. The issue occurs when parsing specially crafted GPMF or MP4 files, allowing an attacker to read beyond the allocated buffer. The vulnerability is reachable via the gpmf-parse tool with a malicious input file [1].

Exploitation

An attacker can trigger the heap over-read by providing a crafted MP4 file to gpmf-parse. No special privileges are required; the attacker only needs to convince the victim to process the malicious file (e.g., via social engineering or a web upload). The PoC demonstrated that AddressSanitizer reports an out-of-bounds read at index 0x24 when parsing a specific stream [1].

Impact

A successful heap over-read can lead to information disclosure (leaking heap memory) or potentially a crash (denial of service). The vulnerability does not directly provide code execution, but memory corruption could be leveraged in combination with other flaws for further exploitation.

Mitigation

No official patch has been released at the time of disclosure. The vendor was notified via a GitHub issue [1]. Users should avoid processing untrusted GPMF/MP4 files until a fix is published. Compiling with AddressSanitizer is recommended for detection during development.