CVE-2023-34454

Name of the Vulnerable Software and Affected Versions snappy-java versions prior to 1.1.10.1

Description The issue is related to an integer overflow in the compress(char[] input) function of the snappy-java library, which can cause an unrecoverable fatal error. This occurs when the length of the input array is multiplied by 2 and passed to the rawCompress function, potentially resulting in a negative value. The maxCompressedLength function treats this length as an unsigned integer and returns a valid value, which is then cast to a signed integer by the Java engine. If the result is negative, a java.lang.NegativeArraySizeException exception is raised, while a positive result may lead to a fatal Access Violation error due to the allocated array being too small for compression. The same issue exists for compress functions receiving double, float, int, long, and short values, each using different multipliers. The problem is unlikely to occur with byte arrays, as creating an array of size 0x80000000 or any other negative value is impossible.

Recommendations To resolve the issue, upgrade snappy-java to version 1.1.10.1 or later. For Bitbucket Data Center and Server, upgrade to the following versions: