Cap allocation size in BinaryReader.ReadString

GrabYourPitchforks · Anipik · commit b0b121752517 · 2020-05-26T09:53:39.000-07:00
Do not allow the untrusted payload to dictate the initial capacity of temporary StringBuilder instances.
diff --git a/src/mscorlib/src/System/IO/BinaryReader.cs b/src/mscorlib/src/System/IO/BinaryReader.cs
@@ -312,8 +312,11 @@ public virtual String ReadString()
                 if (currPos == 0 && n == stringLength)
                     return new String(_charBuffer, 0, charsRead);
 
+                // Since we could be reading from an untrusted data source, limit the initial size of the
+                // StringBuilder instance we're about to get or create. It'll expand automatically as needed.
+
                 if (sb == null)
-                    sb = StringBuilderCache.Acquire(stringLength); // Actual string length in chars may be smaller.
+                    sb = StringBuilderCache.Acquire(Math.Min(stringLength, StringBuilderCache.MAX_BUILDER_SIZE)); // Actual string length in chars may be smaller.
                 sb.Append(_charBuffer, 0, charsRead);
                 currPos += n;
             } while (currPos < stringLength);
diff --git a/src/mscorlib/src/System/Text/StringBuilderCache.cs b/src/mscorlib/src/System/Text/StringBuilderCache.cs
@@ -41,7 +41,7 @@ internal static class StringBuilderCache
         // The value 360 was chosen in discussion with performance experts as a compromise between using
         // as litle memory (per thread) as possible and still covering a large part of short-lived
         // StringBuilder creations on the startup path of VS designers.
-        private const int MAX_BUILDER_SIZE = 360;
+        internal const int MAX_BUILDER_SIZE = 360;
 
         [ThreadStatic]
         private static StringBuilder CachedInstance;
