Upstream Reference
Upstream issue: vmihailenco#376
Priority: P0 (Security)
Problem
The decodeSlice() function in decode_slice.go allocates memory based entirely on a length value from the data stream without applying allocation limits:
s := make([]interface{}, 0, n)An attacker can craft malicious msgpack data claiming an array contains millions of elements, forcing the decoder to pre-allocate massive memory. With nested arrays, memory consumption multiplies exponentially, enabling denial-of-service attacks.
Fix
Apply sliceAllocLimit check before allocation in decodeSlice() and cap DecodeMap() similarly.
Files
decode_slice.go (line 173)decode_map.go (line 160)
Upstream Reference
Upstream issue: vmihailenco#376
Priority: P0 (Security)
Problem
The
decodeSlice()function indecode_slice.goallocates memory based entirely on a length value from the data stream without applying allocation limits:An attacker can craft malicious msgpack data claiming an array contains millions of elements, forcing the decoder to pre-allocate massive memory. With nested arrays, memory consumption multiplies exponentially, enabling denial-of-service attacks.
Fix
Apply
sliceAllocLimitcheck before allocation indecodeSlice()and capDecodeMap()similarly.Files
decode_slice.go(line 173)decode_map.go(line 160)