lz4_flex Out-of-Bounds Read Vulnerability in Block Decompression API

A vulnerability in lz4_flex, a Rust library for LZ4 compression, allows for out-of-bounds reads from the output buffer during decompression of invalid LZ4 data. This issue, present in versions 0.11.5 and below, and 0.12.0, can lead to the leakage of sensitive information from uninitialized memory or from previous decompression operations. The vulnerability arises because the library fails to properly validate offset values in the LZ4 block format's 'match copy operations', which are used to duplicate data within the output buffer. The affected functions are part of the block-based API, while all frame APIs remain unaffected.

Impact

The vulnerability can cause the decompression process to include uninitialized data or remnants from prior decompression tasks, potentially exposing sensitive information.

Reproduction

The vulnerability can be reproduced by using the block-based decompression functions with invalid LZ4 data. This can be done by crafting LZ4 input that includes out-of-bounds offset values, which the library will improperly handle, leading to the described memory leaks. The issue can also be reproduced by using the 'unsafe' version of the decompression functions, which are available when the 'safe-decode' feature is disabled.

Remediation

Users can upgrade to lz4_flex versions 0.11.6 or 0.12.1, which fix the vulnerability by properly validating match offsets during decompression. If an upgrade is not possible, the vulnerability can be mitigated by zeroing the output buffer before decompression and enabling the 'safe-decode' feature.