diff --git a/barretenberg/cpp/src/barretenberg/common/serialize.hpp b/barretenberg/cpp/src/barretenberg/common/serialize.hpp index 63771b2d4a89..368d7a4b40fc 100644 --- a/barretenberg/cpp/src/barretenberg/common/serialize.hpp +++ b/barretenberg/cpp/src/barretenberg/common/serialize.hpp @@ -31,6 +31,7 @@ #include "barretenberg/common/log.hpp" #include "barretenberg/common/mem.hpp" #include "barretenberg/common/net.hpp" +#include "barretenberg/common/throw_or_abort.hpp" #include "barretenberg/serialize/msgpack_apply.hpp" #include #include @@ -41,6 +42,10 @@ #include #include +// Maximum total bytes a single deserialization may allocate (256 MB). +// Prevents attacker-controlled size fields from triggering multi-GB allocations. +inline constexpr size_t MAX_SERIALIZE_BYTES = 256ULL * 1024 * 1024; + #ifndef __i386__ __extension__ using uint128_t = unsigned __int128; #endif @@ -215,6 +220,9 @@ inline void read(uint8_t const*& it, std::vector& value) { uint32_t size = 0; read(it, size); + if (size > MAX_SERIALIZE_BYTES) { + throw_or_abort("deserialize: vector size exceeds 256 MB limit"); + } value.resize(size); std::copy(it, it + size, value.data()); it += size; @@ -233,6 +241,9 @@ inline void read(std::istream& is, std::vector& value) { uint32_t size = 0; read(is, size); + if (size > MAX_SERIALIZE_BYTES) { + throw_or_abort("deserialize: vector size exceeds 256 MB limit"); + } value.resize(size); is.read(reinterpret_cast(value.data()), static_cast(size)); } @@ -282,6 +293,9 @@ template inline void read(B& it, std::vecto using serialize::read; uint32_t size = 0; read(it, size); + if (static_cast(size) * sizeof(T) > MAX_SERIALIZE_BYTES) { + throw_or_abort("deserialize: vector size exceeds 256 MB limit"); + } value.resize(size); for (size_t i = 0; i < size; ++i) { read(it, value[i]); @@ -353,6 +367,9 @@ template inline void read(B& it, std::map(size) * (sizeof(T) + sizeof(U)) > MAX_SERIALIZE_BYTES) { + throw_or_abort("deserialize: map size exceeds 256 MB limit"); + } for (size_t i = 0; i < size; ++i) { std::pair v; read(it, v);