cloudflare / golz4 Goto Github PK
View Code? Open in Web Editor NEWGolang interface to LZ4 compression
License: BSD 3-Clause "New" or "Revised" License
Golang interface to LZ4 compression
License: BSD 3-Clause "New" or "Revised" License
Hi John,
Thanks for posting these go bindings. Is there a framing format for lz4, to allow decompression to start before you read the entire file? Like https://code.google.com/p/snappy/source/browse/trunk/framing_format.txt
Thanks,
Jason
Similar to #4 but this is standardized now and part of the upstream project (as of r126) so it should be as simple as pulling in the new upstream code and writing another wrapper. We need this for IBM/sarama#256 if at all possible.
Hi
A dependency vulnerability scanner that I'm using (Whitesource) flagged this library as being vulnerable to CVE-2019-17543, and I'm trying to evaluate if this is a legitimate risk for us.
lz4/lz4#801 makes it sound like this underlying issue is very hard to trigger, which makes me think that perhaps golz4
is safe, because of the way it exposes the lz4
API. However, I'm not confident enough in my own understanding of the issue to be certain about this.
Would you consider updating the version of lz4
that is bundled here to include the fix for this issue? That would surely resolve the issue, and would likely include other performance, etc benefits. It may include risks, too, though.
I'd love to hear your thoughts on this!
some special data let lz4 crash
package main
import (
"io/ioutil"
"net/http"
lz4 "github.com/cloudflare/golz4"
)
func main() {
for {
resp, err := http.Get("http://pub.mengsky.net/boom")
body, err := ioutil.ReadAll(resp.Body)
out := make([]byte, lz4.CompressBound(body))
_, err = lz4.Compress(body, out)
if err != nil {
}
}
}
traceback
SIGSEGV: segmentation violation code=0x80 addr=0x0 pc=0x659969]
runtime stack:
runtime.throw(0x711f04, 0x2a)
/usr/local/go/src/runtime/panic.go:605 +0x95
runtime.sigpanic()
/usr/local/go/src/runtime/signal_unix.go:351 +0x2b8
goroutine 15 [syscall, locked to thread]:
runtime.cgocall(0x667890, 0xc420583bc8, 0xc420432700)
/usr/local/go/src/runtime/cgocall.go:132 +0xe4 fp=0xc420583b88 sp=0xc420583b48 pc=0x4040c4
github.com/cloudflare/golz4._Cfunc_LZ4_compress_limitedOutput(0xc42351c000, 0xc4242b6000, 0xfbfdf000fb010, 0x0)
github.com/cloudflare/golz4/_obj/_cgo_gotypes.go:62 +0x4d fp=0xc420583bc8 sp=0xc420583b88 pc=0x63b5ad
github.com/cloudflare/golz4.Compress(0xc42351c000, 0xfb010, 0xfb010, 0xc4242b6000, 0xfbfdf, 0xfbfdf, 0x0, 0x412666, 0xc)
/go/src/github.com/cloudflare/golz4/lz4.go:50 +0x57 fp=0xc420583c18 sp=0xc420583bc8 pc=0x63b6d7
github.com/aliyun/aliyun-log-go-sdk.(*LogStore).PutLogs(0xc420290030, 0xc421f18000, 0xc42388b0c0, 0x0)
/go/src/github.com/aliyun/aliyun-log-go-sdk/log_store.go:73 +0x1fe fp=0xc420583d68 sp=0xc420583c18 pc=0x64aa8e
main.(*Relay).writeLogToSls(0xc4202901b0, 0xc420583fc8, 0x1000, 0x1000)
/go/main.go:171 +0x2f6 fp=0xc420583e30 sp=0xc420583d68 pc=0x6563c6
main.(*Relay).run(0xc4202901b0)
/go/main.go:214 +0x333 fp=0xc42058bfd8 sp=0xc420583e30 pc=0x656893
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:2337 +0x1 fp=0xc42058bfe0 sp=0xc42058bfd8 pc=0x45a071
created by main.NewRelay
/go/main.go:138 +0x17f
It seems this binding is using the unsafe version of the decoder (LZ4_uncompress). As a consequence, a malicious user could slip-in some forged input to trigger an attack.
As a way to improve security, it would be better to use the safe version instead.
The safe version is called LZ4_decompress_safe().
It's also recommended to update the C source to r119, which improves security for 32-bits systems.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.