CVE-2019-17543

LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4write32 (related to LZ4compressdestSize), affecting applications that call LZ4compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."

References

Affected packages

Git / github.com/lz4/lz4

Affected ranges

Type: GIT
Repo: https://github.com/lz4/lz4
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fdf2ef5809ca875c454510610764d9125ef2ebbd

Affected versions

Other

lz4-r130

r117

r118

r119

r120

r121

r122

r123

r124

r125

r126

r127

r128

r129

r130

r131

rc129v0

v1.*

v1.7.3

v1.7.4

v1.7.4.2

v1.7.5

v1.8.0

v1.8.1

v1.8.1.2

v1.8.2

v1.8.3

v1.9.0

v1.9.1

Database specific

vanir_signatures

[
    {
        "digest": {
            "function_hash": "61011784323741544421519885770648292192",
            "length": 6841.0
        },
        "source": "https://github.com/lz4/lz4/commit/fdf2ef5809ca875c454510610764d9125ef2ebbd",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "id": "CVE-2019-17543-b1728100",
        "target": {
            "function": "fuzzerTests",
            "file": "tests/frametest.c"
        }
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "325100058228336016223022397709697290259",
                "200105775490831143229869207908691188226",
                "165779088698909068794914726885539428532",
                "83614538809166404914961511938413066878"
            ]
        },
        "source": "https://github.com/lz4/lz4/commit/fdf2ef5809ca875c454510610764d9125ef2ebbd",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "id": "CVE-2019-17543-f2e73d94",
        "target": {
            "file": "tests/frametest.c"
        }
    }
]