Heap buffer overflow in Clickhouseβs LZ4 compression codec when parsing a malicious query. There is no verification that the copy operations in the LZ4::decompressImpl loop and especially the arbitrary copy operation wildCopy<copy_amount>(op, ip, copy_end), donβt exceed the destination bufferβs limits.
[
{
"vendor": "yandex",
"product": "clickhouse",
"versions": [
{
"version": "unspecified",
"status": "affected",
"lessThan": "21.10.2.15-stable",
"versionType": "custom"
}
]
}
]