From c79c8bbbec1265b0bf2fe16994b27c7b8d5a3c23 Mon Sep 17 00:00:00 2001
From: Tristan <tristan@talencesecurity.com>
Date: Wed, 27 May 2026 18:03:10 -0400
Subject: [PATCH] snappy: read frame length as 3 bytes to avoid OOB at boundary

The frame header is 4 bytes: 1 byte type + 3 bytes little-endian
length. The previous code read a uint32_t at frame_buffer[1] which
touches byte index 4, but the bounds check only ensures indices 0-3
are valid. When exactly 4 bytes remain, byte 4 is out of bounds.

Read the 3-byte length field byte-by-byte instead. This also fixes
a potential unaligned memory access on strict-alignment architectures.

Signed-off-by: Tristan <tristan@talencesecurity.com>
---
 src/flb_snappy.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/flb_snappy.c b/src/flb_snappy.c
index c4c16b0ade6..74595e8a8f0 100644
--- a/src/flb_snappy.c
+++ b/src/flb_snappy.c
@@ -170,8 +170,9 @@ int flb_snappy_uncompress_framed_data(char *in_data, size_t in_len,
 
         frame_type    = *((uint8_t *) &frame_buffer[0]);
 
-        frame_length  = *((uint32_t *) &frame_buffer[1]);
-        frame_length &= 0x00FFFFFF;
+        frame_length  = ((uint32_t)((unsigned char) frame_buffer[1]))       |
+                        ((uint32_t)((unsigned char) frame_buffer[2]) << 8)  |
+                        ((uint32_t)((unsigned char) frame_buffer[3]) << 16);
 
         frame_body    = &frame_buffer[4];