CVE-2019-20089

Vulnerability

The vulnerability is a heap-based buffer over-read in the GPMF_SeekToSamples function in GPMF_parse.c at line 452, within GoPro GPMF-parser version 1.2.3. The over-read occurs during size calculation when parsing a crafted MP4 or GPMF file. The issue is triggered when the parser processes a sample with a complex type string (e.g., containing multiple elements per sample) and the calculation does not properly validate the boundaries of the heap-allocated buffer.

Exploitation

An attacker needs to provide a specially crafted GPF (GoPro metadata format) file, typically embedded in an MP4 file. The victim must open the file using the gpmf-parse command-line tool or any application using the GPMF-parser library to process the metadata. No authentication is required; the attack is performed locally by supplying the malicious file. The proof-of-concept (PoC) shows that the crash is reproducible with a file that triggers the heap over-read.

Impact

Successful exploitation can lead to a heap-based buffer over-read, which may result in denial of service (application crash) or potentially information disclosure. Given the nature of the bug (over-read vs. overflow), code execution is less likely but cannot be ruled out depending on memory layout. The vulnerability affects any application that uses the GPMF-parser library to parse user-supplied GPF data.

Mitigation

As of the report date, no official patch has been released by GoPro. Users should avoid processing untrusted GPF/MP4 files with GPMF-parser versions prior to a fix. The repository has an open issue [1] but no commit or fixed version has been published as of the CVE publication date. The parser may be marked as unmaintained or require manual review.