From 8dc706ec12ff4321c24239e5393fdb8655f67681 Mon Sep 17 00:00:00 2001
From: Klaus-xjp <jp.xiong520@gmail.com>
Date: Thu, 25 Aug 2022 18:43:08 +0800
Subject: [PATCH] upgrade version for log4j, zstd, lz4, snappy for
 CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832,
 CVE-2020-9488, CVE-2021-24032, CVE-2021-3520

---
 huaweicloud-sdk-java-dis/pom.xml                         | 8 ++++----
 .../java/com/huaweicloud/dis/util/compress/Lz4Util.java  | 9 +++++++++
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/huaweicloud-sdk-java-dis/pom.xml b/huaweicloud-sdk-java-dis/pom.xml
index d9c4390..979be42 100644
--- a/huaweicloud-sdk-java-dis/pom.xml
+++ b/huaweicloud-sdk-java-dis/pom.xml
@@ -19,7 +19,7 @@
         <slf4j.version>1.7.26</slf4j.version>
         <httpclient.version>4.5.13</httpclient.version>
         <httpasyncclient.version>4.1.4</httpasyncclient.version>
-        <log4j.version>2.13.3</log4j.version>
+        <log4j.version>2.17.2</log4j.version>
     </properties>
     <dependencies>
         <dependency>
@@ -63,13 +63,13 @@
         <dependency>
             <groupId>org.lz4</groupId>
             <artifactId>lz4-java</artifactId>
-            <version>1.7.1</version>
+            <version>1.8.0</version>
         </dependency>
 
         <dependency>
             <groupId>com.github.luben</groupId>
             <artifactId>zstd-jni</artifactId>
-            <version>1.4.3-1</version>
+            <version>1.5.2-2</version>
         </dependency>
 
         <!-- sdk-core的sign方法依赖 -->
@@ -107,7 +107,7 @@
         <dependency>
             <groupId>org.xerial.snappy</groupId>
             <artifactId>snappy-java</artifactId>
-            <version>1.1.7.2</version>
+            <version>1.1.8.4</version>
             <type>jar</type>
             <scope>compile</scope>
         </dependency>
diff --git a/huaweicloud-sdk-java-dis/src/main/java/com/huaweicloud/dis/util/compress/Lz4Util.java b/huaweicloud-sdk-java-dis/src/main/java/com/huaweicloud/dis/util/compress/Lz4Util.java
index 875811e..ebbac8a 100644
--- a/huaweicloud-sdk-java-dis/src/main/java/com/huaweicloud/dis/util/compress/Lz4Util.java
+++ b/huaweicloud-sdk-java-dis/src/main/java/com/huaweicloud/dis/util/compress/Lz4Util.java
@@ -34,6 +34,15 @@ public static byte[] compressByte(byte[] srcByte) {
      * @return
      */
     public static byte[] decompressByte(byte[] compressorByte, int srcLength) {
+        if (srcLength < 0) {
+          throw new IndexOutOfBoundsException(
+              "CVE-2021-3520: There's a flaw in lz4. An attacker who submits a crafted file to "
+                  + "an application linked with lz4 may be able to trigger an integer overflow, " 
+                  + "leading to calling of memmove() on a negative size argument, causing an " 
+                  + "out-of-bounds write and/or a crash. The greatest impact of this flaw is to " 
+                  + "availability, with some potential impact to confidentiality and integrity " 
+                  + "as well.");
+        }
         LZ4Factory factory = LZ4Factory.fastestInstance();
         LZ4FastDecompressor decompressor = factory.fastDecompressor();
         return decompressor.decompress(compressorByte, srcLength);