From 73554e051afb018108d8679d9ba38c0de7735c1b Mon Sep 17 00:00:00 2001
From: joshua-spacetime <josh@clockworklabs.io>
Date: Mon, 15 Jun 2026 22:58:26 -0700
Subject: [PATCH] Don't preallocate based on bsatn length prefix

---
 crates/sats/src/de.rs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/crates/sats/src/de.rs b/crates/sats/src/de.rs
index 1c16d8e46b8..3a0987c9a74 100644
--- a/crates/sats/src/de.rs
+++ b/crates/sats/src/de.rs
@@ -771,7 +771,12 @@ impl<T, const N: usize> GrowingVec<T> for SmallVec<[T; N]> {
 
 /// A basic implementation of `ArrayVisitor::visit` using the provided size hint.
 pub fn array_visit<'de, A: ArrayAccess<'de>, V: GrowingVec<A::Element>>(mut access: A) -> Result<V, A::Error> {
-    let mut v = V::try_with_capacity(access.size_hint().unwrap_or(0))?;
+    // Don’t blindly trust length prefixes when reserving initial capacity
+    // for decoding array elements, as malformed input could generate a huge allocation,
+    // potentially resulting in an OOM kill.
+    const RESERVE_ARRAY_ELEMENTS: usize = 4096;
+    let cap = access.size_hint().unwrap_or(0);
+    let mut v = V::try_with_capacity(cap.min(RESERVE_ARRAY_ELEMENTS))?;
     while let Some(x) = access.next_element()? {
         v.push(x)
     }