diff --git a/huaweicloud-sdk-java-dis/pom.xml b/huaweicloud-sdk-java-dis/pom.xml
index 730d76e..979be42 100644
--- a/huaweicloud-sdk-java-dis/pom.xml
+++ b/huaweicloud-sdk-java-dis/pom.xml
@@ -63,13 +63,13 @@
org.lz4
lz4-java
- 1.7.1
+ 1.8.0
com.github.luben
zstd-jni
- 1.4.3-1
+ 1.5.2-2
@@ -107,7 +107,7 @@
org.xerial.snappy
snappy-java
- 1.1.7.2
+ 1.1.8.4
jar
compile
diff --git a/huaweicloud-sdk-java-dis/src/main/java/com/huaweicloud/dis/util/compress/Lz4Util.java b/huaweicloud-sdk-java-dis/src/main/java/com/huaweicloud/dis/util/compress/Lz4Util.java
index 6959242..64a723c 100644
--- a/huaweicloud-sdk-java-dis/src/main/java/com/huaweicloud/dis/util/compress/Lz4Util.java
+++ b/huaweicloud-sdk-java-dis/src/main/java/com/huaweicloud/dis/util/compress/Lz4Util.java
@@ -37,6 +37,15 @@ public static byte[] compressByte(byte[] srcByte) {
* @return
*/
public static byte[] decompressByte(byte[] compressorByte, int srcLength) {
+ if (srcLength < 0) {
+ throw new IndexOutOfBoundsException(
+ "CVE-2021-3520: There's a flaw in lz4. An attacker who submits a crafted file to "
+ + "an application linked with lz4 may be able to trigger an integer overflow, "
+ + "leading to calling of memmove() on a negative size argument, causing an "
+ + "out-of-bounds write and/or a crash. The greatest impact of this flaw is to "
+ + "availability, with some potential impact to confidentiality and integrity "
+ + "as well.");
+ }
LZ4Factory factory = LZ4Factory.fastestInstance();
LZ4FastDecompressor decompressor = factory.fastDecompressor();
return decompressor.decompress(compressorByte, srcLength);