Markus Franz Xaver Johannes Oberhumer reports, in the package's NEWS file:
Fixed a potential integer overflow condition in the "safe"
decompressor variants which could result in a possible buffer
overrun when processing maliciously crafted compressed input
data.
As this issue only affects 32-bit systems and also can only happen
if you use uncommonly huge buffer sizes where you have to decompress
more than 16 MiB (2^24 bytes) compressed bytes within a single
function call, the practical implications are limited.