long-cbor decode fix

Sources/CBORDecoder.swift

@@ -60,9 +60,16 @@ public class CBORDecoder {
             throw CBORError.tooLongSequence
         }
 
+        /// Application-safe limit here
+        let MAX_REASONABLE_LENGTH = 200_000
+        guard n <= MAX_REASONABLE_LENGTH else {
+            throw CBORError.tooLongSequence
+        }
+
         return Int(n)
     }
 
+
     private func readN(_ n: Int) throws -> [CBOR] {
         return try (0..<n).map { _ in
             guard let r = try decodeItem() else { throw CBORError.unfinishedSequence }
@@ -197,7 +204,7 @@ public class CBORDecoder {
             return CBOR.double(try readBinaryNumber(Float64.self))
 
         case 0xff: return CBOR.break
-        default: return nil
+        default: throw CBORError.unfinishedSequence
         }
     }
 }

Tests/CBORDecoderTests.swift

@@ -201,8 +201,40 @@ class CBORDecoderTests: XCTestCase {
             _ = try? CBOR.decode(randomData, options: CBOROptions(maximumDepth: 512))
         }
     }
+
+    func testDecodeFailsForAbsurdlyBigArrayOrMapLength() {
+
+        let hugeArrayHeader: [UInt8] = [
+            0x9b,
+            0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+        ]
+
+        XCTAssertThrowsError(try CBORDecoder(input: hugeArrayHeader).decodeItem()) { error in
+            XCTAssertEqual(error as? CBORError, CBORError.tooLongSequence)
+        }
+
+        let hugeMapHeader: [UInt8] = [
+            0xbb,
+            0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+        ]
+
+        XCTAssertThrowsError(try CBORDecoder(input: hugeMapHeader).decodeItem()) { error in
+            XCTAssertEqual(error as? CBORError, CBORError.tooLongSequence)
+        }
+    }
+
+    func testDecodeFailsForEmptyInput() {
+        let emptyInput: [UInt8] = []
+        XCTAssertThrowsError(try CBORDecoder(input: emptyInput).decodeItem()) { error in
+            XCTAssertEqual(error as? CBORError, CBORError.unfinishedSequence)
+        }
+    }
+
+
 }
 
+
+
 #if os(Android)
 
 extension XCTestCase {