Update lz4 from upstream

CHANGELOG.md

@@ -10,6 +10,8 @@ librdkafka v2.0.3 is a bugfix release:
 * Fix seek partition timeout, was one thousand times lower than the passed
   value (#4230).
 * Batch consumer fixes: TODO: describe (#4208).
+* Update lz4.c from upstream. Fixes [CVE-2021-3520](https://github.com/advisories/GHSA-gmc7-pqv9-966m)
+  (by @filimonov, #4232).
 * Upgrade OpenSSL to v3.0.8 with various security fixes,
   check the [release notes](https://www.openssl.org/news/cl30.txt) (#4215).
 

src/lz4.c

@@ -1,6 +1,6 @@
 /*
    LZ4 - Fast LZ compression algorithm
-   Copyright (C) 2011-present, Yann Collet.
+   Copyright (C) 2011-2020, Yann Collet.
 
    BSD 2-Clause License (http://www.opensource.org/licenses/bsd-license.php)
 
@@ -1051,7 +1051,7 @@ LZ4_FORCE_INLINE int LZ4_compress_generic_validated(
 _next_match:
         /* at this stage, the following variables must be correctly set :
          * - ip : at start of LZ operation
-         * - match : at start of previous pattern occurence; can be within current prefix, or within extDict
+         * - match : at start of previous pattern occurrence; can be within current prefix, or within extDict
          * - offset : if maybe_ext_memSegment==1 (constant)
          * - lowLimit : must be == dictionary to mean "match is within extDict"; must be == source otherwise
          * - token and *token : position to write 4-bits for match length; higher 4-bits for literal length supposed already written
@@ -1752,7 +1752,7 @@ LZ4_decompress_generic(
                  const size_t dictSize         /* note : = 0 if noDict */
                  )
 {
-    if (src == NULL) { return -1; }
+    if ((src == NULL) || (outputSize < 0)) { return -1; }
 
     {   const BYTE* ip = (const BYTE*) src;
         const BYTE* const iend = ip + srcSize;
@@ -2495,4 +2495,4 @@ char* LZ4_slideInputBuffer (void* state)
     return (char *)(uptrval)((LZ4_stream_t*)state)->internal_donotuse.dictionary;
 }
 
-#endif   /* LZ4_COMMONDEFS_ONLY */
+#endif   /* LZ4_COMMONDEFS_ONLY */