CVE-2023-34453

Name of the Vulnerable Software and Affected Versions snappy-java versions prior to 1.1.10.1

Description The issue is related to an integer overflow in the shuffle(int[] input) function in the file BitShuffle.java, which can cause a fatal error. This function applies a bit shuffle to an array of integers by multiplying the length by 4 and passing it to a natively compiled shuffle function. Since the length is not tested, the multiplication by four can cause an integer overflow, resulting in a smaller value than the true size, or even zero or negative. This can lead to exceptions such as java.lang.NegativeArraySizeException or java.lang.ArrayIndexOutOfBoundsException. The same issue exists when using the shuffle functions that receive a double, float, long, and short, each using a different multiplier that may cause the same issue.

Recommendations To resolve the issue, update snappy-java to version 1.1.10.1 or later. As a temporary workaround, consider restricting the use of the shuffle functions in the affected versions until a patch is applied. Avoid using the shuffle functions with large input arrays that may cause an integer overflow.