Skip to content

fix: add bounds when allocating arrays in deserialization#21622

Merged
PhilWindle merged 2 commits intomerge-train/spartanfrom
palla/a-696-deserialization-max-size-bounds
Mar 17, 2026
Merged

fix: add bounds when allocating arrays in deserialization#21622
PhilWindle merged 2 commits intomerge-train/spartanfrom
palla/a-696-deserialization-max-size-bounds

Conversation

@spalladino
Copy link
Contributor

@spalladino spalladino commented Mar 16, 2026
edited
Loading

Calling Array.from({length}) allocates length immediately. We were
calling this method in the context of deserialization with untrusted
input.

This PR changes it so we use new Array(size) for untrusted input. A
bit less efficient, but more secure.

@spalladino spalladino added ci-no-fail-fast Sets NO_FAIL_FAST in the CI so the run is not aborted on the first failure backport-to-v4-next backport-to-v4 and removed backport-to-v4-next labels Mar 16, 2026
@spalladino
fix: avoid Array.from with untrusted sizes
92f87f8 
Calling `Array.from({length})` allocates length immediately. We were
calling this method in the context of deserialization with untrusted
input.

This PR changes it so we use `new Array(size)` for untrusted input. A
bit less efficient, but more secure.
@spalladino spalladino force-pushed the palla/a-696-deserialization-max-size-bounds branch from 5786cad to 92f87f8 Compare March 17, 2026 02:11
@spalladino spalladino changed the title fix(stdlib): add maxSize bounds to network-reachable deserialization paths fix: add maxSize bounds when allocating arrays Mar 17, 2026
@spalladino spalladino changed the title fix: add maxSize bounds when allocating arrays fix: add bounds when allocating arrays in deserialization Mar 17, 2026
@PhilWindle PhilWindle merged commit 881eb02 into merge-train/spartan Mar 17, 2026
11 checks passed
@PhilWindle PhilWindle deleted the palla/a-696-deserialization-max-size-bounds branch March 17, 2026 09:53
@AztecBot AztecBot mentioned this pull request Mar 17, 2026
Open
AztecBot pushed a commit that referenced this pull request Mar 17, 2026
@PhilWindle
fix: add bounds when allocating arrays in deserialization (#21622)
7ede667 
Calling `Array.from({length})` allocates length immediately. We were
calling this method in the context of deserialization with untrusted
input.

This PR changes it so we use `new Array(size)` for untrusted input. A
bit less efficient, but more secure.
@AztecBot
Copy link
Collaborator

AztecBot commented Mar 17, 2026

✅ Successfully backported to backport-to-v4-next-staging #21654.

@AztecBot AztecBot mentioned this pull request Mar 17, 2026
Open
spalladino added a commit that referenced this pull request Mar 17, 2026
@spalladino
Revert "fix: add bounds when allocating arrays in deserialization (#2…
f3d486b 
…1622)"

This reverts commit 881eb02, reversing
changes made to bbcefc8.
spalladino added a commit that referenced this pull request Mar 17, 2026
@spalladino
chore: revert "add bounds when allocating arrays in deserialization" (#…
e4dcdee 
…21622) (#21666)

It was a red herring. 

We were not using `Array.from({ length })` but `Array.from({ length },
() => deserializer)`, and the deserializer would throw when reaching the
end of the buffer, preventing the full allocation of the array.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PhilWindle PhilWindle PhilWindle approved these changes

Assignees

No one assigned

Labels

backport-to-v4-next ci-no-fail-fast Sets NO_FAIL_FAST in the CI so the run is not aborted on the first failure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@spalladino @AztecBot @PhilWindle