#13973 closed enhancement (fixed)

brotli-v-1.0.9

Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: high Milestone: 10.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (5)

comment:1 by Bruce Dubbs, 11 months ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 11 months ago

Summary: brotli-v-1.0.8brotli-v-1.0.9

Now version 1.0.9.

comment:3 by Bruce Dubbs, 11 months ago

SECURITY NOTE

Please consider updating brotli to version 1.0.9 (latest).

Version 1.0.9 contains a fix to "integer overflow" problem. This happens when "one-shot" decoding API is used (or input chunk for streaming API is not limited), input size (chunk size) is larger than 2GiB, and input contains uncompressed blocks. After the overflow happens, memcpy is invoked with a gigantic num value, that will likely cause the crash.

SECURITY: decoder: fix integer overflow when input chunk is larger than 2GiB

Other changes:

  • add support WASM (emscripten) build
  • brotli -v now reports raw / compressed size
  • build files / docs maintenance
  • reduce sources tarball size
  • decoder: minor speed / memory usage improvements
  • encoder: fix rare access to uninitialized data in ring-buffer
  • encoder: improve support for platforms that does not have log2
  • encoder: better support for MSVC (replacement for builtin_clz and builtin_ctzll
  • python: decompress now reports error if there is unused after the end of compressed input

comment:4 by Douglas R. Reno, 11 months ago

Priority: normalhigh

Mark as high due to integer overflow issue.

comment:5 by Bruce Dubbs, 11 months ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 23689.

Note: See TracTickets for help on using tickets.