protect against too large bounds

gjtorikian · gjtorikian · commit dbf607d7b428 · 2025-12-05T15:04:56.000-05:00
diff --git a/src/index.ts b/src/index.ts
@@ -32,6 +32,11 @@ class Reader {
   }
 
   public next(len: number): number[] {
+    // Prevent massive array allocation by checking bounds first
+    if (len < 0 || len > this.size - this.offset) {
+      this.error = true;
+      return [];
+    }
     const n = new Array();
     for (let i = 0; i < len; i++) {
       // Stop reading if an error occurred
diff --git a/test/index.test.ts b/test/index.test.ts
@@ -166,6 +166,19 @@ describe('async', () => {
     expect(result).toBe(true);
   });
 
+  it('should not crash on malformed protobuf-like data (issue #80)', async () => {
+    const buff = Buffer.from(
+      '82ACE2828045E382805FE1828053E7828045E7878045E8838145E2988445E2948545E2828D4CE2828A44E28280418CF7EC2E',
+      'hex',
+    );
+
+    expect.assertions(1);
+
+    const result = await isBinaryFile(buff);
+
+    expect(typeof result).toBe('boolean');
+  });
+
   it('should return false on a Vai script file', async () => {
     const file = path.join(FIXTURE_PATH, 'vai_script.txt');
 
@@ -306,6 +319,17 @@ describe('sync', () => {
 
     expect(result).toBe(false);
   });
+
+  it('should not crash on malformed protobuf-like data (issue #80)', () => {
+    const buff = Buffer.from(
+      '82ACE2828045E382805FE1828053E7828045E7878045E8838145E2988445E2948545E2828D4CE2828A44E28280418CF7EC2E',
+      'hex',
+    );
+
+    const result = isBinaryFileSync(buff);
+
+    expect(typeof result).toBe('boolean');
+  });
 });
 
 it('should return false on a UTF-8 file with emoji', () => {
