Headline
CVE-2020-8927: Release v1.0.9 · google/brotli
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a “one-shot” decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the “streaming” API as opposed to the “one-shot” API, and impose chunk size limits.
SECURITY: decoder: fix integer overflow when input chunk is larger than 2GiB (CVE-2020-8927)
Other changes:
- add support WASM (emscripten) build
- brotli -v now reports raw / compressed size
- build files / docs maintenance
- reduce sources tarball size
- decoder: minor speed / memory usage improvements
- encoder: fix rare access to uninitialized data in ring-buffer
- encoder: improve support for platforms that does not have log2
- encoder: better support for MSVC (replacement for __builtin_clz and __builtin_ctzll
- python: decompress now reports error if there is unused after the end of compressed input