fix: invalid allocation requests

Invalid data can lead to allocating too much memory. Only preallocate up to 1024 `Value` objects. Fixes: #115 Signed-off-by: Ahmed Charles <[email protected]>
enarx · Feb 26, 2024 · e305f1c · e305f1c
1 parent 88cf117
commit e305f1c
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/ciborium/src/value/de.rs b/ciborium/src/value/de.rs
@@ -3,7 +3,7 @@
 use super::{Error, Integer, Value};
 
 use alloc::{boxed::Box, string::String, vec::Vec};
-use core::iter::Peekable;
+use core::{iter::Peekable, mem::size_of};
 
 use ciborium_ll::tag;
 use serde::de::{self, Deserializer as _};
@@ -124,7 +124,9 @@ impl<'de> serde::de::Visitor<'de> for Visitor {
 
     #[inline]
     fn visit_map<A: de::MapAccess<'de>>(self, mut acc: A) -> Result<Self::Value, A::Error> {
-        let mut map = Vec::<(Value, Value)>::with_capacity(acc.size_hint().unwrap_or(0));
+        let mut map = Vec::<(Value, Value)>::with_capacity(
+            acc.size_hint().filter(|&l| l < 1024).unwrap_or(0),
+        );
 
         while let Some(kv) = acc.next_entry()? {
             map.push(kv);