fatal error: runtime: out of memory

[aarongowatch]

it is possible to crash the document parser with an out of memory if io.Reader is corrupt. this is particularly problematic when handling user-supplied data (data streamed a socket for example). a user sending a specially crafted sequence of bytes will crash the go process because because the decoder naively allocates buffers of an arbitrary size:

   182:	}
   183:
   184:	// GetElementContent returns the element's data (if any)
   185:	// Data is present if the element's type is not Master
   186:	func (doc *Document) GetElementContent(el *Element) ([]byte, error) {
=> 187:		buf := make([]byte, el.Size)
   188:
   189:		_, err := io.ReadFull(doc.r, buf)
   190:		if err != nil {
   191:			return nil, err
   192:		}
(dlv) p el.Size
29055659576

The above condition leads to the following crash attempting to allocate 29GB of memory:

fatal error: runtime: out of memory

a simple solution would be to use a fixed buffer and refuse to process an element that is larger than the fixed buffer. while the spec does permit 72,000TB element sizes, allowing the caller to configure a buffer size that wont crash the host system would make sense:

if el.Size > len(self.buffer) {
  return nil, errors.New("invalid size")
}