In crates/graphite_binary/src/nbt/decode.rs the read_list function uses Vec::with_capacity(length as _). However, length has no upper bound. I believe malicious input could potentially allocate i32::MAX * sizeof(usize) bytes.
The other read functions are correctly bounded.
In
crates/graphite_binary/src/nbt/decode.rstheread_listfunction usesVec::with_capacity(length as _). However,lengthhas no upper bound. I believe malicious input could potentially allocatei32::MAX * sizeof(usize)bytes.The other read functions are correctly bounded.