Skip to content

Fix an OOM in deserialization on malicious input#222

Merged
Lokathor merged 2 commits into
Lokathor:mainfrom
Eh2406:oom
Jul 2, 2026
Merged

Fix an OOM in deserialization on malicious input#222
Lokathor merged 2 commits into
Lokathor:mainfrom
Eh2406:oom

Conversation

@Eh2406

@Eh2406 Eh2406 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

The situation is that BorshDeserialize calls with_capacity on a user supplied length. If that's untrusted input, It can easily trigger OOM. I have found no examples of Borsh on untrusted Input. So I submitting this a PR.

Found and Fix inspired with AI.

@Lokathor Lokathor merged commit 06ba425 into Lokathor:main Jul 2, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants