From e28ab4dc6b21420b98bf8cc738f6ce1739efe202 Mon Sep 17 00:00:00 2001 From: Sasha Koshka Date: Thu, 28 Aug 2025 12:31:49 -0400 Subject: [PATCH] tape: Respect limits when dynamically decoding --- tape/dynamic.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/tape/dynamic.go b/tape/dynamic.go index 01345ea..5ef9f7c 100644 --- a/tape/dynamic.go +++ b/tape/dynamic.go @@ -145,7 +145,11 @@ func decodeAnyOrError(decoder *Decoder, destination reflect.Value, tag Tag) (n i n += nn; if err != nil { return n, err } case SBA: // SBA: * - buffer := make([]byte, tag.CN()) + length := tag.CN() + if length > MaxStructureLength { + return 0, ErrTooLong + } + buffer := make([]byte, length) nn, err := decoder.Read(buffer) n += nn; if err != nil { return n, err } setByteArray(destination, buffer) @@ -153,6 +157,9 @@ func decodeAnyOrError(decoder *Decoder, destination reflect.Value, tag Tag) (n i // LBA: * length, nn, err := decoder.ReadUintN(tag.CN() + 1) n += nn; if err != nil { return n, err } + if length > uint64(MaxStructureLength) { + return 0, ErrTooLong + } buffer := make([]byte, length) nn, err = decoder.Read(buffer) n += nn; if err != nil { return n, err } @@ -161,6 +168,9 @@ func decodeAnyOrError(decoder *Decoder, destination reflect.Value, tag Tag) (n i // OTA: * length, nn, err := decoder.ReadUintN(tag.CN() + 1) n += nn; if err != nil { return n, err } + if length > uint64(MaxStructureLength) { + return 0, ErrTooLong + } oneTag, nn, err := decoder.ReadTag() n += nn; if err != nil { return n, err } if destination.Cap() < int(length) { @@ -191,6 +201,9 @@ func decodeAnyOrError(decoder *Decoder, destination reflect.Value, tag Tag) (n i // KTV: ( )* length, nn, err := decoder.ReadUintN(tag.CN() + 1) n += nn; if err != nil { return n, err } + if length > uint64(MaxStructureLength) { + return 0, ErrTooLong + } destination.Clear() for _ = range length { key, nn, err := decoder.ReadUint16()