From 458ad749015dc79068077d523590c5eab096a8c7 Mon Sep 17 00:00:00 2001
From: Krisztian Kovacs <krisztian@equilibrium.co>
Date: Thu, 9 Jan 2025 15:55:39 +0100
Subject: [PATCH 1/2] fix(p2p,rpc): limit Cairo 0 class definition size

Make sure the uncompressed size of Cairo 0 class definitions does not
exceed our limit of 4 MiB.

Closes #2471
---
 crates/common/src/class_definition.rs | 2 ++
 crates/p2p/src/client/conv.rs         | 4 ++--
 crates/rpc/src/types/class.rs         | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/crates/common/src/class_definition.rs b/crates/common/src/class_definition.rs
index e6e8c35b29..665c5466ea 100644
--- a/crates/common/src/class_definition.rs
+++ b/crates/common/src/class_definition.rs
@@ -10,6 +10,8 @@ use serde_with::serde_as;
 
 use crate::{ByteCodeOffset, EntryPoint};
 
+pub const CLASS_DEFINITION_MAX_ALLOWED_SIZE: u64 = 4 * 1024 * 1024;
+
 #[derive(Debug, Deserialize, Dummy)]
 pub enum ClassDefinition<'a> {
     Sierra(Sierra<'a>),
diff --git a/crates/p2p/src/client/conv.rs b/crates/p2p/src/client/conv.rs
index 43f104915a..1e439cd77b 100644
--- a/crates/p2p/src/client/conv.rs
+++ b/crates/p2p/src/client/conv.rs
@@ -909,10 +909,10 @@ impl TryFromDto<p2p_proto::class::Cairo0Class> for CairoDefinition {
         let abi = dto.abi;
 
         let compressed_program = base64::decode(dto.program)?;
-        let mut gzip_decoder =
-            flate2::read::GzDecoder::new(std::io::Cursor::new(compressed_program));
+        let gzip_decoder = flate2::read::GzDecoder::new(std::io::Cursor::new(compressed_program));
         let mut program = Vec::new();
         gzip_decoder
+            .take(pathfinder_common::class_definition::CLASS_DEFINITION_MAX_ALLOWED_SIZE)
             .read_to_end(&mut program)
             .context("Decompressing program JSON")?;
 
diff --git a/crates/rpc/src/types/class.rs b/crates/rpc/src/types/class.rs
index ef2efa3849..74a72226a0 100644
--- a/crates/rpc/src/types/class.rs
+++ b/crates/rpc/src/types/class.rs
@@ -223,10 +223,11 @@ impl CairoContractClass {
 
     pub fn serialize_to_json(&self) -> anyhow::Result<Vec<u8>> {
         // decode program
-        let mut decompressor =
+        let decompressor =
             flate2::read::GzDecoder::new(Cursor::new(base64::decode(&self.program).unwrap()));
         let mut program = Vec::new();
         decompressor
+            .take(pathfinder_common::class_definition::CLASS_DEFINITION_MAX_ALLOWED_SIZE)
             .read_to_end(&mut program)
             .context("Decompressing program")?;
 

From f249cfdcff2701831c99d084d2ad70113a0085d6 Mon Sep 17 00:00:00 2001
From: Krisztian Kovacs <krisztian@equilibrium.co>
Date: Thu, 9 Jan 2025 15:58:12 +0100
Subject: [PATCH 2/2] chore: update CHANGELOG

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4c638678a7..6bc4a3be80 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -27,6 +27,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 
 - Use aggregate Bloom filters for `starknet_getEvents` to improve performance.
+- Cairo 0 class definition size is now capped at 4 MiB.
 
 ## [0.15.2] - 2024-12-04