The helper Header::read and its buffered/async variants (fn read, fn read_async, fn read_buffered, and fn read_async_buffered) call the nom parser in a loop. When the parser returns Incomplete(Needed::Size(n)), the code blindly executes data.resize(m + n, 0) and then read_exact the additional bytes. Because n is attacker-influenced and no upper bound is enforced, a hostile file can force arbitrarily large allocations, leading to memory-exhaustion denial of service.
Recommendation:
Abort header parsing when the accumulated buffer exceeds 64 KiB (the limit used by the reference Go implementation) or a tighter value mandated by project policy. Propagate a DecryptError::InvalidHeaderSize to callers.
The helper
Header::readand its buffered/async variants (fn read,fn read_async,fn read_buffered, andfn read_async_buffered) call thenomparser in a loop. When the parser returnsIncomplete(Needed::Size(n)), the code blindly executesdata.resize(m + n, 0)and thenread_exactthe additional bytes. Becausenis attacker-influenced and no upper bound is enforced, a hostile file can force arbitrarily large allocations, leading to memory-exhaustion denial of service.Recommendation:
Abort header parsing when the accumulated buffer exceeds 64 KiB (the limit used by the reference Go implementation) or a tighter value mandated by project policy. Propagate a
DecryptError::InvalidHeaderSizeto callers.