Srmish-Jfrog

**Name of the Vulnerable Software and Affected Versions** snappy-java versions prior to 1.1.10.1 **Description** The issue is related to an integer overflow in the `compress(char[] input)` function of the snappy-java library, which can cause an unrecoverable fatal error. This occurs when the length of the input array is multiplied by 2 and passed to the `rawCompress` function, potentially resulting in a negative value. The `maxCompressedLength` function treats this length as an unsigned integer and returns a valid value, which is then cast to a signed integer by the Java engine. If the result is negative, a `java.lang.NegativeArraySizeException` exception is raised, while a positive result may lead to a fatal Access Violation error due to the allocated array being too small for compression. The same issue exists for `compress` functions receiving double, float, int, long, and short values, each using different multipliers. The problem is unlikely to occur with byte arrays, as creating an array of size 0x80000000 or any other negative value is impossible. **Recommendations** To resolve the issue, upgrade snappy-java to version 1.1.10.1 or later. For Bitbucket Data Center and Server, upgrade to the following versions: * 7.21: Upgrade to a release greater than or equal to 7.21.21 * 8.9: Upgrade to a release greater than or equal to 8.9.5 * 8.13: Upgrade to a release greater than or equal to 8.13.1 As a temporary workaround, consider restricting the input size to prevent integer overflows until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** snappy-java versions prior to 1.1.10.1 **Description** The issue is related to the use of an unchecked chunk length in the `hasNextChunk` function of the `SnappyInputStream` class, which can lead to an unrecoverable fatal error. This error occurs when the code attempts to read 4 bytes from the input stream and treats them as the length of the next chunk. If the `compressed` variable is null, a byte array is allocated with the size given by the input data. Since the code does not test the legality of the `chunkSize` variable, it is possible to pass a negative number or a huge positive value, which can cause the code to raise a `java.lang.NegativeArraySizeException` or a fatal `java.lang.OutOfMemoryError`. **Recommendations** For snappy-java versions prior to 1.1.10.1, upgrade to version 1.1.10.1 or later to resolve the issue. For Bitbucket Data Center and Server 7.21, upgrade to a release greater than or equal to 7.21.21. For Bitbucket Data Center and Server 8.9, upgrade to a release greater than or equal to 8.9.5. For Bitbucket Data Center and Server 8.13, upgrade to a release greater than or equal to 8.13.1.

**Name of the Vulnerable Software and Affected Versions** snappy-java versions prior to 1.1.10.1 **Description** The issue is related to an integer overflow in the `shuffle(int[] input)` function in the file `BitShuffle.java`, which can cause a fatal error. This function applies a bit shuffle to an array of integers by multiplying the length by 4 and passing it to a natively compiled shuffle function. Since the length is not tested, the multiplication by four can cause an integer overflow, resulting in a smaller value than the true size, or even zero or negative. This can lead to exceptions such as `java.lang.NegativeArraySizeException` or `java.lang.ArrayIndexOutOfBoundsException`. The same issue exists when using the `shuffle` functions that receive a double, float, long, and short, each using a different multiplier that may cause the same issue. **Recommendations** To resolve the issue, update snappy-java to version 1.1.10.1 or later. As a temporary workaround, consider restricting the use of the `shuffle` functions in the affected versions until a patch is applied. Avoid using the `shuffle` functions with large input arrays that may cause an integer overflow.