A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
Created brotli tracking bugs for this issue:
Affects: epel-7 [bug 1879230]
Affects: fedora-all [bug 1879226]
Created golang-github-andybalholm-brotli tracking bugs for this issue:
Affects: fedora-all [bug 1879228]
Created mingw-brotli tracking bugs for this issue:
Affects: fedora-all [bug 1879227]
Upstream commit: https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6
This flaw can be mitigated by using the Streaming API instead of the One-Shot API and imposing chunk size limitations.