Unsafe instantiation of arrays

[GrabYourPitchforks]

There are a few places in the code where an untrusted count / length / etc. value is used as a length argument for array creation. This allows trivial DoS via an untrusted payload specifying very large lengths but never providing any data after the length value.

SafePayloadReader/System.Runtime.Serialization.BinaryFormat/Records/ArraySinglePrimitiveRecord.cs

Lines 61 to 71 in cfb7ac5

	private static T[] ReadPrimitiveTypes<T>(BinaryReader reader, int count)
	where T : unmanaged
	{
	// Special casing byte for performance.
	if (typeof(T) == typeof(byte))
	{
	byte[] bytes = reader.ReadBytes(count);
	return (T[])(object)bytes;
	}
	T[] values = new T[count];

SafePayloadReader/System.Runtime.Serialization.BinaryFormat/Infos/ClassInfo.cs

Lines 34 to 35 in cfb7ac5

	int memberCount = reader.ReadInt32();
	string[] memberNames = new string[memberCount];

SafePayloadReader/System.Runtime.Serialization.BinaryFormat/Infos/MemberTypeInfo.cs

Lines 22 to 24 in cfb7ac5

	internal static MemberTypeInfo Parse(BinaryReader reader, int count)
	{
	(BinaryType BinaryType, object? AdditionalInfo)[] info = new (BinaryType BinaryType, object? AdditionalInfo)[count];

SafePayloadReader/System.Runtime.Serialization.BinaryFormat/Records/ArraySingleStringRecord.cs

Line 32 in cfb7ac5

string?[] values = new string?[arrayInfo.Length];

SafePayloadReader/System.Runtime.Serialization.BinaryFormat/Records/BinaryArrayRecord.cs

Lines 39 to 47 in cfb7ac5

	int length = reader.ReadInt32();
	if (arrayType != BinaryArrayType.Single || rank != 1)
	{
	throw new NotSupportedException("Only single dimensional arrays are currently supported.");
	}
	MemberTypeInfo memberTypeInfo = MemberTypeInfo.Parse(reader, 1);
	ClassRecord?[] records = new ClassRecord?[length];

[adamsitnik]

What would be the proper fix? Allocate Lists with default capacity and just add items?