cloudflare / golz4 Goto Github PK
View Code? Open in Web Editor NEWGolang interface to LZ4 compression
License: BSD 3-Clause "New" or "Revised" License
golz4's People
Contributors
Stargazers
Watchers
Forkers
rw jgrahamc godeep wheelcomplex cofyc glycerine cloudxtreme redsift jmoiron mbrukman okmeter taozle gibsn mengskysama leepro bhiggins patelh rafaelescrich cleverlzc max19931 arvancs codecat larry-cdn77 aliyun-fc bobopangolz4's Issues
framing format?
Hi John,
Thanks for posting these go bindings. Is there a framing format for lz4, to allow decompression to start before you read the entire file? Like https://code.google.com/p/snappy/source/browse/trunk/framing_format.txt
Thanks,
Jason
Framing Format Support
Similar to #4 but this is standardized now and part of the upstream project (as of r126) so it should be as simple as pulling in the new upstream code and writing another wrapper. We need this for IBM/sarama#256 if at all possible.
Is there any exposure to CVE-2019-17543?
Hi
A dependency vulnerability scanner that I'm using (Whitesource) flagged this library as being vulnerable to CVE-2019-17543, and I'm trying to evaluate if this is a legitimate risk for us.
lz4/lz4#801 makes it sound like this underlying issue is very hard to trigger, which makes me think that perhaps golz4 is safe, because of the way it exposes the lz4 API. However, I'm not confident enough in my own understanding of the issue to be certain about this.
Would you consider updating the version of lz4 that is bundled here to include the fix for this issue? That would surely resolve the issue, and would likely include other performance, etc benefits. It may include risks, too, though.
I'd love to hear your thoughts on this!
call l4z crash
some special data let lz4 crash
package main
import (
"io/ioutil"
"net/http"
lz4 "github.com/cloudflare/golz4"
)
func main() {
for {
resp, err := http.Get("http://pub.mengsky.net/boom")
body, err := ioutil.ReadAll(resp.Body)
out := make([]byte, lz4.CompressBound(body))
_, err = lz4.Compress(body, out)
if err != nil {
}
}
}
traceback
SIGSEGV: segmentation violation code=0x80 addr=0x0 pc=0x659969]
runtime stack:
runtime.throw(0x711f04, 0x2a)
/usr/local/go/src/runtime/panic.go:605 +0x95
runtime.sigpanic()
/usr/local/go/src/runtime/signal_unix.go:351 +0x2b8
goroutine 15 [syscall, locked to thread]:
runtime.cgocall(0x667890, 0xc420583bc8, 0xc420432700)
/usr/local/go/src/runtime/cgocall.go:132 +0xe4 fp=0xc420583b88 sp=0xc420583b48 pc=0x4040c4
github.com/cloudflare/golz4._Cfunc_LZ4_compress_limitedOutput(0xc42351c000, 0xc4242b6000, 0xfbfdf000fb010, 0x0)
github.com/cloudflare/golz4/_obj/_cgo_gotypes.go:62 +0x4d fp=0xc420583bc8 sp=0xc420583b88 pc=0x63b5ad
github.com/cloudflare/golz4.Compress(0xc42351c000, 0xfb010, 0xfb010, 0xc4242b6000, 0xfbfdf, 0xfbfdf, 0x0, 0x412666, 0xc)
/go/src/github.com/cloudflare/golz4/lz4.go:50 +0x57 fp=0xc420583c18 sp=0xc420583bc8 pc=0x63b6d7
github.com/aliyun/aliyun-log-go-sdk.(*LogStore).PutLogs(0xc420290030, 0xc421f18000, 0xc42388b0c0, 0x0)
/go/src/github.com/aliyun/aliyun-log-go-sdk/log_store.go:73 +0x1fe fp=0xc420583d68 sp=0xc420583c18 pc=0x64aa8e
main.(*Relay).writeLogToSls(0xc4202901b0, 0xc420583fc8, 0x1000, 0x1000)
/go/main.go:171 +0x2f6 fp=0xc420583e30 sp=0xc420583d68 pc=0x6563c6
main.(*Relay).run(0xc4202901b0)
/go/main.go:214 +0x333 fp=0xc42058bfd8 sp=0xc420583e30 pc=0x656893
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:2337 +0x1 fp=0xc42058bfe0 sp=0xc42058bfd8 pc=0x45a071
created by main.NewRelay
/go/main.go:138 +0x17f
Use the secure decoder version
It seems this binding is using the unsafe version of the decoder (LZ4_uncompress). As a consequence, a malicious user could slip-in some forged input to trigger an attack.
As a way to improve security, it would be better to use the safe version instead.
The safe version is called LZ4_decompress_safe().
It's also recommended to update the C source to r119, which improves security for 32-bits systems.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.