Malformed string compression table causes panic/abort in parser · Issue #2 · demostf/parser
The demo file is rather large and I couldn't minify it, but I've attached it anyways.
The crash is
| let compressed_data = table_data.read_bytes(compressed_size as usize - 4)?; |
, if compressed_size is less than 4, it will either panic on wraparound with debug assertions enabled, or tries to allocate a huge amount of memory in release mode, and aborts. (This could probably be used cause a denial of service by trying to allocate large buffers).
The fix here IMO is to do a checked subtraction there, but also not to trust the value we got from the file for the compressed size. That might be a change in bitbuffer too, which should have tests that trying to read huge amounts of data doesn't crash, and instead returns an error, which it doesn't seem to be doing.