Memory is not secure and may be vulnerable to attacks.
see the code:

file : decode_slice.go

func (d*Decoder)decodeSlice(cbyte) ([]interface{},error) {n,err:=d.arrayLen(c)iferr!=nil {returnnil,err}ifn==-1 {returnnil,nil}s:=make([]interface{},0,n)// dangerous codefori:=0;i<n;i++ {v,err:=d.decodeInterfaceCond()iferr!=nil {returnnil,err}s=append(s,v)}returns,nil}

If someone modifies the length of the array to 1m, they will request at least 1M of memory. If it is a N dimensional array, N*1M of memory will be required, which can easily lead to memory request attacks
I think safe code should be like this:

varsliceAllocLen=64// configurable or suggested lengthfunc (d*Decoder)decodeSlice(cbyte) ([]interface{},error) {n,err:=d.arrayLen(c)iferr!=nil {returnnil,err}ifn==-1 {returnnil,nil}ifn>sliceAllocLen {n=sliceAllocLen}s:=make([]interface{},0,n)// dangerous codefori:=0;i<n;i++ {v,err:=d.decodeInterfaceCond()iferr!=nil {returnnil,err}s=append(s,v)}returns,nil}

I don't think we should trust the length of arrays in data stream,
it is necessary to limit the length of the array and also limit its recursive depth.

If we can determine the remaining length of the input stream, it can be easily determined to make it more efficient. For example, if there are 1024 bytes left, the length of the array will not exceed 1024

I used translation software, please forgive any unclear descriptions