Unrated severityNVD Advisory· Published Jan 3, 2021· Updated Aug 4, 2024

CVE-2020-35963

Description

flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out-of-bounds write because it does not use the correct calculation of the maximum gzip data-size expansion.

Affected products

Fluent Bit/flb_gzipdescription
osv-coords
pkg:bitnami/fluent-bit
Range: < 1.6.4

Patches

626b22f1dff6

tests: internal: aws_credentials_sts: initialize context with zeros

https://github.com/fluent/fluent-bitEduardo SilvaNov 9, 2020via osv

commit

1 file changed · +11 −11

tests/internal/aws_credentials_sts.c+11 −11 modified

@@ -402,7 +402,7 @@ static void test_eks_provider() {
 
     g_request_count = 0;
 
-    config = flb_malloc(sizeof(struct flb_config));
+    config = flb_calloc(1, sizeof(struct flb_config));
     if (!config) {
         flb_errno();
         return;
@@ -427,7 +427,7 @@ static void test_eks_provider() {
         return;
     }
 
-    provider = flb_eks_provider_create(config, NULL, "us-west-2", 
+    provider = flb_eks_provider_create(config, NULL, "us-west-2",
                                 "https://sts.us-west-2.amazonaws.com",
                                 NULL, generator_in_test());
 
@@ -478,7 +478,7 @@ static void test_eks_provider_random_session_name() {
 
     g_request_count = 0;
 
-    config = flb_malloc(sizeof(struct flb_config));
+    config = flb_calloc(1, sizeof(struct flb_config));
     if (!config) {
         flb_errno();
         return;
@@ -552,7 +552,7 @@ static void test_eks_provider_unexpected_api_response() {
 
     g_request_count = 0;
 
-    config = flb_malloc(sizeof(struct flb_config));
+    config = flb_calloc(1, sizeof(struct flb_config));
     if (!config) {
         flb_errno();
         return;
@@ -573,7 +573,7 @@ static void test_eks_provider_unexpected_api_response() {
         return;
     }
 
-    provider = flb_eks_provider_create(config, NULL, "us-west-2", 
+    provider = flb_eks_provider_create(config, NULL, "us-west-2",
                                 "https://sts.us-west-2.amazonaws.com",
                                 NULL, generator_in_test());
 
@@ -608,7 +608,7 @@ static void test_eks_provider_api_error() {
 
     g_request_count = 0;
 
-    config = flb_malloc(sizeof(struct flb_config));
+    config = flb_calloc(1, sizeof(struct flb_config));
     if (!config) {
         flb_errno();
         return;
@@ -629,7 +629,7 @@ static void test_eks_provider_api_error() {
         return;
     }
 
-    provider = flb_eks_provider_create(config, NULL, "us-west-2", 
+    provider = flb_eks_provider_create(config, NULL, "us-west-2",
                                 "https://sts.us-west-2.amazonaws.com",
                                 NULL, generator_in_test());
 
@@ -665,7 +665,7 @@ static void test_sts_provider() {
 
     g_request_count = 0;
 
-    config = flb_malloc(sizeof(struct flb_config));
+    config = flb_calloc(1, sizeof(struct flb_config));
     if (!config) {
         flb_errno();
         return;
@@ -755,7 +755,7 @@ static void test_sts_provider_api_error() {
 
     g_request_count = 0;
 
-    config = flb_malloc(sizeof(struct flb_config));
+    config = flb_calloc(1, sizeof(struct flb_config));
     if (!config) {
         flb_errno();
         return;
@@ -831,7 +831,7 @@ static void test_sts_provider_unexpected_api_response() {
 
     g_request_count = 0;
 
-    config = flb_malloc(sizeof(struct flb_config));
+    config = flb_calloc(1, sizeof(struct flb_config));
     if (!config) {
         flb_errno();
         return;
@@ -866,7 +866,7 @@ static void test_sts_provider_unexpected_api_response() {
     provider = flb_sts_provider_create(config, NULL, base_provider, "external_id",
                                        "arn:aws:iam::123456789012:role/"
                                        "unexpected_api_response",
-                                       "session_name", "cn-north-1", 
+                                       "session_name", "cn-north-1",
                                        "https://sts.us-west-2.amazonaws.com",
                                        NULL,
                                        generator_in_test());

cadff53c0932

gzip: fix compression size calculation (oss-fuzz 27261)

https://github.com/fluent/fluent-bitdavkorNov 7, 2020via osv

commit

1 file changed · +18 −1

src/flb_gzip.c+18 −1 modified

@@ -77,8 +77,25 @@ int flb_gzip_compress(void *in_data, size_t in_len,
     z_stream strm;
     mz_ulong crc;
 
-    out_size = in_len + 32;
+
+    /*
+     * GZIP relies on an algorithm with worst-case expansion
+     * of 5 bytes per 32KB data. This means we need to create a variable
+     * length output, that depends on the input length.
+     * See RFC 1951 for details.
+     */
+    int max_input_expansion = ((int)(in_len / 32000) + 1) * 5;
+
+    /*
+     * Max compressed size is equal to sum of:
+     *   10 byte header
+     *   8 byte foot
+     *   max input expansion
+     *   size of input
+     */
+    out_size = 10 + 8 + max_input_expansion + in_len;
     out_buf = flb_malloc(out_size);
+
     if (!out_buf) {
         flb_errno();
         flb_error("[gzip] could not allocate outgoing buffer");

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

bugs.chromium.org/p/oss-fuzz/issues/detailmitrex_refsource_MISC
fluentbit.io/announcements/v1.6.4/mitrex_refsource_MISC
github.com/fluent/fluent-bit/commit/cadff53c093210404aed01c4cf586adb8caa07afmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000