One particular thing I noted while testing it is that the issue occurs only if the destination of decode is a []byte.
If you try to debug the execution with delve you can notice that the failure is caused by the attempt of the program to allocate a huge amount of memory at line 607 of codec/cbor.go (~53 TB on the first test and ~142 TB on the second one).
Check glumia/ugorji-go-security-issue and https://github.com/fxamacker/cbor/issues/247#issuecomment-920879714.
One particular thing I noted while testing it is that the issue occurs only if the destination of decode is a
[]byte
.If you try to debug the execution with delve you can notice that the failure is caused by the attempt of the program to allocate a huge amount of memory at line 607 of
codec/cbor.go
(~53 TB on the first test and ~142 TB on the second one).