From c4ca0490ee43deadefdedfb634ab90cf0e598c6b Mon Sep 17 00:00:00 2001
From: Calvin Rose <calsrose@gmail.com>
Date: Sun, 5 Apr 2020 08:16:40 -0500
Subject: [PATCH] Prevent unmarsal DOS in arrays,buffers,tables,and structs.

---
 src/core/marsh.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/core/marsh.c b/src/core/marsh.c
index 0f91ae57..cf87b187 100644
--- a/src/core/marsh.c
+++ b/src/core/marsh.c
@@ -1234,6 +1234,10 @@ static const uint8_t *unmarshal_one(
         {
             data++;
             int32_t len = readnat(st, &data);
+            /* DOS check */
+            if (lead != LB_REFERENCE) {
+                MARSH_EOS(st, data - 1 + len);
+            }
             if (lead == LB_ARRAY) {
                 /* Array */
                 JanetArray *array = janet_array(len);
@@ -1265,7 +1269,7 @@ static const uint8_t *unmarshal_one(
                 *out = janet_wrap_struct(janet_struct_end(struct_));
                 janet_v_push(st->lookup, *out);
             } else if (lead == LB_REFERENCE) {
-                if (len < 0 || len >= janet_v_count(st->lookup))
+                if (len >= janet_v_count(st->lookup))
                     janet_panicf("invalid reference %d", len);
                 *out = st->lookup[len];
             } else {