From cc4e195a0ea2dce88f2fd6c6d73b2504e3c884fd Mon Sep 17 00:00:00 2001
From: Abhishek Paul <paul.apaul.abhishek.ap@gmail.com>
Date: Wed, 16 Jul 2025 10:32:37 +0530
Subject: [PATCH] long-cbor decode fix

Signed-off-by: Abhishek Paul <paul.apaul.abhishek.ap@gmail.com>
---
 Sources/CBORDecoder.swift    |  9 ++++++++-
 Tests/CBORDecoderTests.swift | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/Sources/CBORDecoder.swift b/Sources/CBORDecoder.swift
index 4e26806..8455ded 100644
--- a/Sources/CBORDecoder.swift
+++ b/Sources/CBORDecoder.swift
@@ -60,9 +60,16 @@ public class CBORDecoder {
             throw CBORError.tooLongSequence
         }
 
+        /// Application-safe limit here
+        let MAX_REASONABLE_LENGTH = 200_000
+        guard n <= MAX_REASONABLE_LENGTH else {
+            throw CBORError.tooLongSequence
+        }
+
         return Int(n)
     }
 
+
     private func readN(_ n: Int) throws -> [CBOR] {
         return try (0..<n).map { _ in
             guard let r = try decodeItem() else { throw CBORError.unfinishedSequence }
@@ -197,7 +204,7 @@ public class CBORDecoder {
             return CBOR.double(try readBinaryNumber(Float64.self))
 
         case 0xff: return CBOR.break
-        default: return nil
+        default: throw CBORError.unfinishedSequence
         }
     }
 }
diff --git a/Tests/CBORDecoderTests.swift b/Tests/CBORDecoderTests.swift
index 502f8d1..0d162b2 100644
--- a/Tests/CBORDecoderTests.swift
+++ b/Tests/CBORDecoderTests.swift
@@ -201,8 +201,40 @@ class CBORDecoderTests: XCTestCase {
             _ = try? CBOR.decode(randomData, options: CBOROptions(maximumDepth: 512))
         }
     }
+    
+    func testDecodeFailsForAbsurdlyBigArrayOrMapLength() {
+        
+        let hugeArrayHeader: [UInt8] = [
+            0x9b,
+            0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+        ]
+        
+        XCTAssertThrowsError(try CBORDecoder(input: hugeArrayHeader).decodeItem()) { error in
+            XCTAssertEqual(error as? CBORError, CBORError.tooLongSequence)
+        }
+        
+        let hugeMapHeader: [UInt8] = [
+            0xbb,
+            0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+        ]
+        
+        XCTAssertThrowsError(try CBORDecoder(input: hugeMapHeader).decodeItem()) { error in
+            XCTAssertEqual(error as? CBORError, CBORError.tooLongSequence)
+        }
+    }
+    
+    func testDecodeFailsForEmptyInput() {
+        let emptyInput: [UInt8] = []
+        XCTAssertThrowsError(try CBORDecoder(input: emptyInput).decodeItem()) { error in
+            XCTAssertEqual(error as? CBORError, CBORError.unfinishedSequence)
+        }
+    }
+
+
 }
 
+
+
 #if os(Android)
 
 extension XCTestCase {