VYPR
Moderate severityNVD Advisory· Published Jun 15, 2023· Updated Dec 12, 2024

snappy-java's Integer Overflow vulnerability in shuffle leads to DoS

CVE-2023-34453

Description

snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer overflow may occur in versions prior to 1.1.10.1, causing a fatal error.

The function shuffle(int[] input) in the file BitShuffle.java receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function. Since the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a java.lang.NegativeArraySizeException exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as java.lang.ArrayIndexOutOfBoundsException.

The same issue exists also when using the shuffle functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.

Version 1.1.10.1 contains a patch for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xerial.snappy:snappy-javaMaven
< 1.1.10.11.1.10.1

Affected products

5

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.