Airlift Aircompressor Snappy and LZ4 Decompression Buffer Leak Vulnerability

A vulnerability in the Airlift Aircompressor library, affecting versions prior to 3.4, allows remote attackers to read sensitive data from a reused output buffer in the Snappy and LZ4 decompressor implementations. This data leak occurs when crafted compressed inputs are processed, potentially exposing previous buffer contents in the uncompressed output. The issue is particularly relevant for applications that allocate fixed-sized buffers for performance, as they may inadvertently leak information across multiple decompression calls.

Impact

Exploitation of this vulnerability can lead to unauthorized disclosure of sensitive information from the output buffer.

Reproduction

The vulnerability can be reproduced by using the Airlift Aircompressor library version 3.3 or below and applying a crafted compressed input that takes advantage of the decompressor's incorrect handling of match offsets. This can be done with the Snappy or LZ4 decompressor, where the crafted input causes the decompressor to copy pre-existing data from the output buffer into the uncompressed output, thereby leaking sensitive information.

Remediation

Users can upgrade to Airlift Aircompressor version 3.4, where this vulnerability has been fixed. Alternatively, the vulnerability can be mitigated by avoiding the reuse of the decompression buffer across multiple calls or by clearing the buffer before each decompression operation.