decode_mdx_jsx_attr (crates/mdast/src/codec.rs), decode_element_prop and decode_mdx_jsx_attr (crates/hast/src/codec.rs), and decode_table_data (crates/mdast/src/codec.rs) compute offsets from counts read from type_data (e.g. base = 16 + index * 20) without verifying the data is large enough. Since buffers arrive from JS via NAPI, a crafted buffer with attr_count=1000 but only 16 bytes of type_data triggers an index out-of-bounds panic, which aborts the Node.js process (DoS).
from_raw_buffer validates global buffer structure but not per-node type_data semantic consistency.
Suggested fix: Add size guards at call sites before decode loops: data.len() >= 16 + count * 20, or make decode functions return Option/Result.
decode_mdx_jsx_attr(crates/mdast/src/codec.rs),decode_element_propanddecode_mdx_jsx_attr(crates/hast/src/codec.rs), anddecode_table_data(crates/mdast/src/codec.rs) compute offsets from counts read from type_data (e.g.base = 16 + index * 20) without verifying the data is large enough. Since buffers arrive from JS via NAPI, a crafted buffer withattr_count=1000but only 16 bytes of type_data triggers an index out-of-bounds panic, which aborts the Node.js process (DoS).from_raw_buffervalidates global buffer structure but not per-node type_data semantic consistency.Suggested fix: Add size guards at call sites before decode loops:
data.len() >= 16 + count * 20, or make decode functions returnOption/Result.