Improper Handling of Highly Compressed Data (Data Amplification) in io.netty:netty

Summary

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In affected versions, when supplied with specially crafted input, `BrotliDecoder` and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. `BrotliDecoder.decompress` has no limit in how often it calls `pull`, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This issue affects versions through 4.1.124.Final, 4.2.0.Alpha1 through 4.2.4.Final and 5.0.0.Alpha1 and 5.0.0.Alpha5.