CVE-2020-29367
Description
C-Blosc2 through 2.0.0.beta.5 contains a heap-based buffer overflow in blosc2.c when insufficient space is allocated for compressed data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
C-Blosc2 through 2.0.0.beta.5 contains a heap-based buffer overflow in blosc2.c when insufficient space is allocated for compressed data.
A heap-based buffer overflow vulnerability exists in the blosc2.c file of C-Blosc2 versions up to and including 2.0.0.beta.5. The issue occurs in the blosc_c function during compression when there is not enough space in the destination buffer to write the compressed data. The function fails to properly check the available space before writing, leading to a write beyond the allocated buffer boundary [1][4].
Exploitation
This vulnerability can be triggered by providing a specially crafted input that, when compressed, requires more space than the output buffer provides. An attacker who can control the input data to a Blosc2 compression operation could exploit this flaw. No authentication is required, and the attack can be carried out over the network if the library is used in a service that processes untrusted data [2].
Impact
Successful exploitation could lead to heap-based buffer overflow, potentially allowing an attacker to corrupt adjacent memory, cause a denial of service, or, in some cases, execute arbitrary code. The vulnerability received no CVSS score but was reported via OSS-Fuzz and has been assigned CVE-2020-29367 [1][3].
Mitigation
The vulnerability has been fixed in the C-Blosc2 repository via commit c4c6470e88210afc95262c8b9fcc27e30ca043ee, which adds proper bounds checks in the compression routine [4]. Users should upgrade to a version containing this patch. The Python Blosc2 package also inherits this fix when updated to a patched version of C-Blosc2 [2][3].
- NVD - CVE-2020-29367
- GitHub - Blosc/python-blosc2: A high-performance library for compressed ND arrays and columnar tables, with compute and indexing engines
- advisory-database/vulns/blosc2/PYSEC-2020-343.yaml at main · pypa/advisory-database
- Fixed asan heap buffer overflow when not enough space to write compre… · Blosc/c-blosc2@c4c6470
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
blosc2PyPI | < 0.1.7 | 0.1.7 |
Affected products
6- Blosc/C-Blosc2description
- ghsa-coords5 versionspkg:pypi/blosc2pkg:rpm/opensuse/blosc&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/blosc&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/blosc&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/blosc&distro=SUSE%20Package%20Hub%2015%20SP2
< 0.1.7+ 4 more
- (no CPE)range: < 0.1.7
- (no CPE)range: < 1.20.1-bp152.4.3.1
- (no CPE)range: < 1.20.1-bp152.4.3.1
- (no CPE)range: < 1.20.1-bp152.4.3.1
- (no CPE)range: < 1.20.1-bp152.4.3.1
Patches
1c4c6470e8821Fixed asan heap buffer overflow when not enough space to write compressed block size.
1 file changed · +8 −4
blosc/blosc2.c+8 −4 modified@@ -706,7 +706,7 @@ static bool get_run(const uint8_t* ip, const uint8_t* ip_bound) { /* Shuffle & compress a single block */ static int blosc_c(struct thread_context* thread_context, int32_t bsize, - int32_t leftoverblock, int32_t ntbytes, int32_t maxbytes, + int32_t leftoverblock, int32_t ntbytes, int32_t destsize, const uint8_t* src, const int32_t offset, uint8_t* dest, uint8_t* tmp, uint8_t* tmp2) { blosc2_context* context = thread_context->parent_context; @@ -772,6 +772,10 @@ static int blosc_c(struct thread_context* thread_context, int32_t bsize, if (get_run(ip, ipbound)) { // A run. Encode the repeated byte as a negative length in the length of the split. int32_t value = _src[j * neblock]; + if (ntbytes > destsize) { + /* Not enough space to write out compressed block size */ + return -1; + } _sw32(dest - 4, -value); continue; } @@ -782,9 +786,9 @@ static int blosc_c(struct thread_context* thread_context, int32_t bsize, maxout = (int32_t)snappy_max_compressed_length((size_t)neblock); } #endif /* HAVE_SNAPPY */ - if (ntbytes + maxout > maxbytes) { + if (ntbytes + maxout > destsize) { /* avoid buffer * overrun */ - maxout = (int64_t)maxbytes - (int64_t)ntbytes; + maxout = (int64_t)destsize - (int64_t)ntbytes; if (maxout <= 0) { return 0; /* non-compressible block */ } @@ -859,7 +863,7 @@ static int blosc_c(struct thread_context* thread_context, int32_t bsize, /* The compressor has been unable to compress data at all. */ /* Before doing the copy, check that we are not running into a buffer overflow. */ - if ((ntbytes + neblock) > maxbytes) { + if ((ntbytes + neblock) > destsize) { return 0; /* Non-compressible data */ } memcpy(dest, _src + j * neblock, (unsigned int)neblock);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8c7c-2c8j-3xfpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-29367ghsaADVISORY
- bugs.chromium.org/p/oss-fuzz/issues/detailghsax_refsource_MISCWEB
- github.com/Blosc/c-blosc2/commit/c4c6470e88210afc95262c8b9fcc27e30ca043eeghsax_refsource_MISCWEB
- github.com/Blosc/python-blosc2/releases/tag/v0.1.7ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/blosc2/PYSEC-2020-343.yamlghsaWEB
News mentions
0No linked articles in our index yet.