LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://security.netapp.com/advisory/ntap-20210723-0001/
https://github.com/lz4/lz4/pull/760
https://github.com/lz4/lz4/pull/756
https://github.com/lz4/lz4/issues/801
https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html