CVE-2019-20088

Vulnerability

A heap-based buffer over-read vulnerability exists in the GetPayload function of GPMF_mp4reader.c in GoPro GPMF-parser version 1.2.3. The issue occurs when parsing specially crafted MP4 files that trigger an out-of-bounds read on an allocated heap buffer. The vulnerable code path is reachable when the gpmf-parse utility processes a malicious MP4 file with manipulated payload data, as demonstrated with a proof-of-concept (PoC) input that causes an index access beyond the allocated memory region.[1]

Exploitation

An attacker can trigger the vulnerability by supplying a crafted MP4 file to the gpmf-parse command-line tool. No authentication or special network position is required beyond local access to execute the binary with the malicious file. The attack requires no user interaction aside from the target processing the file. The proof-of-concept details show that running gpmf-parse $POC (where $POC is the crafted file) results in AddressSanitizer reporting a heap-buffer-overflow at a specific index (0x749) in the heap buffer.[1]

Impact

Successful exploitation allows an attacker to cause a heap-based buffer over-read, which can result in information disclosure (reading adjacent heap memory) or a denial of service (crash). The vulnerability does not appear to allow arbitrary code execution directly, as it is a read overrun rather than a write, but it can lead to unpredictable behavior or leakage of sensitive data from the heap. The AddressSanitizer report confirms a heap-buffer-overflow on a zero-length or adjacent heap chunk.[1]

Mitigation

As of the advisory date, no official fix has been released for GPMF-parser 1.2.3. Users are advised to avoid processing untrusted MP4 files with the gpmf-parse tool until a patched version is available. The issue is tracked in the project's GitHub repository as issue #77, and users should monitor for updates. No KEV listing has been associated with this CVE at the time of publication.[1]