deps: update dependency org.xerial.snappy:snappy-java to v1.1.10.1 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.xerial.snappy:snappy-java	1.1.10.0 -> 1.1.10.1

GitHub Vulnerability Alerts

CVE-2023-34453

Summary

Due to unchecked multiplications, an integer overflow may occur, causing a fatal error.

Impact

Denial of Service

Description

The function shuffle(int[] input) in the file BitShuffle.java receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function.

public static byte[] shuffle(int[] input) throws IOException {
        byte[] output = new byte[input.length * 4];
        int numProcessed = impl.shuffle(input, 0, 4, input.length * 4, output, 0);
        assert(numProcessed == input.length * 4);
        return output;
    }

Since the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a “java.lang.NegativeArraySizeException” exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as “java.lang.ArrayIndexOutOfBoundsException”.
The same issue exists also when using the “shuffle” functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.

Steps To Reproduce

Compile and run the following code:

package org.example;
import org.xerial.snappy.BitShuffle;

import java.io.*;

public class Main {

    public static void main(String[] args) throws IOException {
        int[] original = new int[0x40000000];
        byte[] shuffled = BitShuffle.shuffle(original);
        System.out.println(shuffled[0]);
    }
}

The program will crash, showing the following error (or similar):

Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0
	at org.example.Main.main(Main.java:12)

Process finished with exit code 1

Alternatively - compile and run the following code:

package org.example;
import org.xerial.snappy.BitShuffle;

import java.io.*;

public class Main {

    public static void main(String[] args) throws IOException {
        int[] original = new int[0x20000000];
        byte[] shuffled = BitShuffle.shuffle(original);
    }
}

The program will crash with the following error (or similar):

Exception in thread "main" java.lang.NegativeArraySizeException: -2147483648
	at org.xerial.snappy.BitShuffle.shuffle(BitShuffle.java:108)
	at org.example.Main.main(Main.java:11)

Credit

The vulnerability was discovered by Ori Hollander of the JFrog Security Research Team

---

Release Notes

xerial/snappy-java

v1.1.10.1

Compare Source

What's Changed

🐛 Bug Fixes

• Fixed several vulnerabilities by @​aidanchiu1112:
  • CVE-2023-34453 Integer overflow in shuffle
  • CVE-2023-34454 Integer overflow in compress
  • CVE-2023-34455 Unchecked chunk length
• internal: Fix commit message by @​xerial in https://github.com/xerial/snappy-java/pull/447
• internal: Fix CI target branch by @​xerial in https://github.com/xerial/snappy-java/pull/449
• Fix typo by @​aidanchiu1112 in https://github.com/xerial/snappy-java/pull/457
• CI Fix to Prevent Checks Dealing with Large Array Sizes by @​aidanchiu1112 in https://github.com/xerial/snappy-java/pull/459

🔗 Dependency Updates

• Update native libraries by @​github-actions in https://github.com/xerial/snappy-java/pull/445
• Update native libraries by @​github-actions in https://github.com/xerial/snappy-java/pull/450
• Update scalafmt-core to 3.7.4 by @​xerial-bot in https://github.com/xerial/snappy-java/pull/454
• Update sbt to 1.9.0 by @​xerial-bot in https://github.com/xerial/snappy-java/pull/455

🛠 Internal Updates

• Trigger native lib build on PR by @​imsudiproy in https://github.com/xerial/snappy-java/pull/444
• internal: Run CI tests on native file change by @​xerial in https://github.com/xerial/snappy-java/pull/446
• internal: Run CI tests for update-native-libs branch by @​xerial in https://github.com/xerial/snappy-java/pull/448
• intertnal: Fix CI watch target files by @​xerial in https://github.com/xerial/snappy-java/pull/451
• Update airframe-log to 23.5.6 by @​xerial-bot in https://github.com/xerial/snappy-java/pull/453

New Contributors

• @​imsudiproy made their first contribution in https://github.com/xerial/snappy-java/pull/444
• @​github-actions made their first contribution in https://github.com/xerial/snappy-java/pull/445
• @​aidanchiu1112 made their first contribution in https://github.com/xerial/snappy-java/pull/457

Full Changelog: xerial/snappy-java@v1.1.10.0...v1.1.10.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[forking-renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.