spl-token-2022 accepts token-metadata interface instructions through a dispatch
fall-through to TokenMetadataInstruction::unpack(input) in
program/src/processor.rs:2236-2237. For three of the metadata variants — Initialize,
UpdateField, RemoveKey — the decoder calls try_from_slice(rest) directly on
attacker-controlled instruction-data bytes after matching an 8-byte discriminator
(defined in spl-token-metadata-interface 0.8.0 at src/instruction.rs:170-180). Those
types contain Borsh String fields. A forged u32::MAX length prefix causes Borsh to
attempt a multi-gigabyte allocation against the SBF VM's bounded heap; the program
aborts with ProgramFailedToComplete instead of returning a typed
InvalidInstructionData error.
spl-token-2022accepts token-metadata interface instructions through a dispatchfall-through to
TokenMetadataInstruction::unpack(input)inprogram/src/processor.rs:2236-2237. For three of the metadata variants —Initialize,UpdateField,RemoveKey— the decoder callstry_from_slice(rest)directly onattacker-controlled instruction-data bytes after matching an 8-byte discriminator
(defined in
spl-token-metadata-interface 0.8.0atsrc/instruction.rs:170-180). Thosetypes contain Borsh
Stringfields. A forgedu32::MAXlength prefix causes Borsh toattempt a multi-gigabyte allocation against the SBF VM's bounded heap; the program
aborts with
ProgramFailedToCompleteinstead of returning a typedInvalidInstructionDataerror.