From 3b603f08eda07accdcfc2dcbf4e278b820815ff5 Mon Sep 17 00:00:00 2001
From: Greyson Parrelli <greyson@signal.org>
Date: Thu, 9 Apr 2026 08:39:13 -0400
Subject: [PATCH] Add defensive size check to stream read.

---
 .../java/org/signal/archive/stream/EncryptedBackupReader.kt   | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/archive/src/main/java/org/signal/archive/stream/EncryptedBackupReader.kt b/lib/archive/src/main/java/org/signal/archive/stream/EncryptedBackupReader.kt
index 3834cf6c97..914dce2d8a 100644
--- a/lib/archive/src/main/java/org/signal/archive/stream/EncryptedBackupReader.kt
+++ b/lib/archive/src/main/java/org/signal/archive/stream/EncryptedBackupReader.kt
@@ -49,6 +49,7 @@ class EncryptedBackupReader private constructor(
 
   companion object {
     const val MAC_SIZE = 32
+    private const val MAX_FORWARD_SECRECY_METADATA_SIZE = 16 * 1024
 
     /**
      * Estimated upperbound need to read backup secrecy metadata from the start of a file.
@@ -123,6 +124,9 @@ class EncryptedBackupReader private constructor(
         return null
       }
       val metadataLength = stream.readVarInt32()
+      if (metadataLength < 0 || metadataLength > MAX_FORWARD_SECRECY_METADATA_SIZE) {
+        throw IOException("Invalid forward secrecy metadata length: $metadataLength")
+      }
       return stream.readNBytesOrThrow(metadataLength)
     }