Tempus Ex Hello-Video-Codec Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Tempus Ex Hello-Video-Codec version 0.1.0. The issue arises from improper input validation in the BitstreamWriter::write_bits() function, where untrusted bit-lengths derived from user-controlled input are accepted without bounds checking. This flaw can be exploited by sending a crafted media file that encodes a large length value, leading to silent data corruption in the output stream. Such corruption can disrupt downstream processes that rely on the integrity of the data, causing potential issues like corrupted archives or polluted analytics inputs.

Impact

Exploitation of this vulnerability causes silent data corruption, where invalid bytes are introduced into the output stream without any indication of an error. This divergence in expected output can disrupt systems that process the corrupted data, leading to broader operational issues.

Reproduction

The vulnerability can be reproduced by uploading a TIFF file with a name that encodes a length value, such as 'tears_LEN130.tif', into a system that uses the vulnerable version of the Tempus Ex Hello-Video-Codec. The 'write_bits' function will then process the file, using the untrusted length to write bits. This operation will silently corrupt the output, as evidenced by the size and SHA256 hash differences between the corrupted and a non-corrupted output file.

Remediation

To address this vulnerability, the 'write_bits' function should be modified to enforce strict input validation, rejecting any length values outside the range of 1 to 64 bits. Additionally, the function should be updated to use iterative logic instead of recursion, which can fragment the internal state and lead to corruption.