CVE-2019-20087

Vulnerability

A heap-based buffer over-read exists in the GPMF_seekToSamples function in GPMF-parse.c within GoPro GPMF-parser version 1.2.3. The flaw occurs in the "matching tags" feature when processing a specially crafted GPMF (GoPro Metadata Format) payload, specifically within GPRI stream metadata that produces an out-of-bounds read at index 0x38. The issue is documented in the GPMF-parser issue tracker [1].

Exploitation

An attacker can trigger the vulnerability by providing a malicious MP4 or GPMF file to the affected gpmf-parse binary. No authentication or special privileges are required; the attack is conducted locally or via a file delivered to a user who opens it with the parser. The proof-of-concept provided in the reference uses a crafted karma.mp4 file that induces the over-read when parsed on Ubuntu 19.04 64-bit [1]. The crash is reliably reproduced with compile-time address sanitizer enabled.

Impact

Successful exploitation causes a heap-based buffer over-read, leading to a denial of service via application crash. In scenarios where an attacker can control the over-read data, it may be possible to leak sensitive heap memory contents, though the primary impact is availability loss. The crash occurs during parsing of GPRI stream metadata, preventing the tool from processing the file.

Mitigation

As of the published date, no patched version of GPMF-parser has been released. The issue remains open in the project's issue tracker [1]. Users should avoid parsing untrusted GPMF files with version 1.2.3 until a fix is available. No official workaround has been provided.