Merge pull request #570 from Dstack-TEE/fix/vecof-unbounded-alloc

kvinwang · web-flow · commit 7503f4fc6eb4 · 2026-03-19T02:20:10.000Z
fix: cap VecOf pre-allocation to prevent OOM on malformed input
diff --git a/cc-eventlog/src/codecs.rs b/cc-eventlog/src/codecs.rs
@@ -7,12 +7,12 @@ use std::ops::Deref;
 use scale::{Decode, Input};
 
 #[derive(Clone, Debug, PartialEq, Eq)]
-pub struct VecOf<I, T> {
+pub struct VecOf<I, T, const MAX_LEN: usize = 65536> {
     len: I,
     inner: Vec<T>,
 }
 
-impl<I: Default, T> Default for VecOf<I, T> {
+impl<I: Default, T, const MAX_LEN: usize> Default for VecOf<I, T, MAX_LEN> {
     fn default() -> Self {
         Self {
             len: I::default(),
@@ -21,11 +21,16 @@ impl<I: Default, T> Default for VecOf<I, T> {
     }
 }
 
-impl<I: Decode + Into<u32> + Copy, T: Decode> Decode for VecOf<I, T> {
+impl<I: Decode + Into<u32> + Copy, T: Decode, const MAX_LEN: usize> Decode
+    for VecOf<I, T, MAX_LEN>
+{
     fn decode<In: Input>(input: &mut In) -> Result<Self, scale::Error> {
         let decoded_len = I::decode(input)?;
         let len = decoded_len.into() as usize;
-        let mut inner = Vec::with_capacity(len);
+        if len > MAX_LEN {
+            return Err("VecOf length exceeds upper bound".into());
+        }
+        let mut inner = Vec::with_capacity(len.min(1024));
         for _ in 0..len {
             inner.push(T::decode(input)?);
         }
@@ -36,7 +41,7 @@ impl<I: Decode + Into<u32> + Copy, T: Decode> Decode for VecOf<I, T> {
     }
 }
 
-impl<I, T> VecOf<I, T> {
+impl<I, T, const MAX_LEN: usize> VecOf<I, T, MAX_LEN> {
     pub fn into_inner(self) -> Vec<T> {
         self.inner
     }
@@ -49,28 +54,28 @@ impl<I, T> VecOf<I, T> {
     }
 }
 
-impl<I, T> Deref for VecOf<I, T> {
+impl<I, T, const MAX_LEN: usize> Deref for VecOf<I, T, MAX_LEN> {
     type Target = Vec<T>;
 
     fn deref(&self) -> &Self::Target {
         &self.inner
     }
 }
 
-impl<I, T> From<(I, Vec<T>)> for VecOf<I, T> {
+impl<I, T, const MAX_LEN: usize> From<(I, Vec<T>)> for VecOf<I, T, MAX_LEN> {
     fn from((len, vec): (I, Vec<T>)) -> Self {
         Self { len, inner: vec }
     }
 }
 
-impl<I, T> AsRef<[T]> for VecOf<I, T> {
+impl<I, T, const MAX_LEN: usize> AsRef<[T]> for VecOf<I, T, MAX_LEN> {
     fn as_ref(&self) -> &[T] {
         &self.inner
     }
 }
 
-impl<I, T> From<VecOf<I, T>> for Vec<T> {
-    fn from(value: VecOf<I, T>) -> Self {
+impl<I, T, const MAX_LEN: usize> From<VecOf<I, T, MAX_LEN>> for Vec<T> {
+    fn from(value: VecOf<I, T, MAX_LEN>) -> Self {
         value.inner
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -7,12 +7,12 @@ use std::ops::Deref;`
`7`	`7`	`use scale::{Decode, Input};`
`8`	`8`
`9`	`9`	`#[derive(Clone, Debug, PartialEq, Eq)]`
`10`		`-pub struct VecOf<I, T> {`
	`10`	`+pub struct VecOf<I, T, const MAX_LEN: usize = 65536> {`
`11`	`11`	`len: I,`
`12`	`12`	`inner: Vec<T>,`
`13`	`13`	`}`
`14`	`14`
`15`		`-impl<I: Default, T> Default for VecOf<I, T> {`
	`15`	`+impl<I: Default, T, const MAX_LEN: usize> Default for VecOf<I, T, MAX_LEN> {`
`16`	`16`	`fn default() -> Self {`
`17`	`17`	`Self {`
`18`	`18`	`len: I::default(),`
`@@ -21,11 +21,16 @@ impl<I: Default, T> Default for VecOf<I, T> {`
`21`	`21`	`}`
`22`	`22`	`}`
`23`	`23`
`24`		`-impl<I: Decode + Into<u32> + Copy, T: Decode> Decode for VecOf<I, T> {`
	`24`	`+impl<I: Decode + Into<u32> + Copy, T: Decode, const MAX_LEN: usize> Decode`
	`25`	`+ for VecOf<I, T, MAX_LEN>`
	`26`	`+{`
`25`	`27`	`fn decode<In: Input>(input: &mut In) -> Result<Self, scale::Error> {`
`26`	`28`	`let decoded_len = I::decode(input)?;`
`27`	`29`	`let len = decoded_len.into() as usize;`
`28`		`- let mut inner = Vec::with_capacity(len);`
	`30`	`+ if len > MAX_LEN {`
	`31`	`+ return Err("VecOf length exceeds upper bound".into());`
	`32`	`+ }`
	`33`	`+ let mut inner = Vec::with_capacity(len.min(1024));`
`29`	`34`	`for _ in 0..len {`
`30`	`35`	`inner.push(T::decode(input)?);`
`31`	`36`	`}`
`@@ -36,7 +41,7 @@ impl<I: Decode + Into<u32> + Copy, T: Decode> Decode for VecOf<I, T> {`
`36`	`41`	`}`
`37`	`42`	`}`
`38`	`43`
`39`		`-impl<I, T> VecOf<I, T> {`
	`44`	`+impl<I, T, const MAX_LEN: usize> VecOf<I, T, MAX_LEN> {`
`40`	`45`	`pub fn into_inner(self) -> Vec<T> {`
`41`	`46`	`self.inner`
`42`	`47`	`}`
`@@ -49,28 +54,28 @@ impl<I, T> VecOf<I, T> {`
`49`	`54`	`}`
`50`	`55`	`}`
`51`	`56`
`52`		`-impl<I, T> Deref for VecOf<I, T> {`
	`57`	`+impl<I, T, const MAX_LEN: usize> Deref for VecOf<I, T, MAX_LEN> {`
`53`	`58`	`type Target = Vec<T>;`
`54`	`59`
`55`	`60`	`fn deref(&self) -> &Self::Target {`
`56`	`61`	`&self.inner`
`57`	`62`	`}`
`58`	`63`	`}`
`59`	`64`
`60`		`-impl<I, T> From<(I, Vec<T>)> for VecOf<I, T> {`
	`65`	`+impl<I, T, const MAX_LEN: usize> From<(I, Vec<T>)> for VecOf<I, T, MAX_LEN> {`
`61`	`66`	`fn from((len, vec): (I, Vec<T>)) -> Self {`
`62`	`67`	`Self { len, inner: vec }`
`63`	`68`	`}`
`64`	`69`	`}`
`65`	`70`
`66`		`-impl<I, T> AsRef<[T]> for VecOf<I, T> {`
	`71`	`+impl<I, T, const MAX_LEN: usize> AsRef<[T]> for VecOf<I, T, MAX_LEN> {`
`67`	`72`	`fn as_ref(&self) -> &[T] {`
`68`	`73`	`&self.inner`
`69`	`74`	`}`
`70`	`75`	`}`
`71`	`76`
`72`		`-impl<I, T> From<VecOf<I, T>> for Vec<T> {`
`73`		`- fn from(value: VecOf<I, T>) -> Self {`
	`77`	`+impl<I, T, const MAX_LEN: usize> From<VecOf<I, T, MAX_LEN>> for Vec<T> {`
	`78`	`+ fn from(value: VecOf<I, T, MAX_LEN>) -> Self {`
`74`	`79`	`value.inner`
`75`	`80`	`}`
`76`	`81`	`}`