From 9ffafeb2ea6e79a8ad95100500785a868da229ba Mon Sep 17 00:00:00 2001
From: MoneroOcean <33983510+MoneroOcean@users.noreply.github.com>
Date: Fri, 29 May 2026 10:19:04 -0700
Subject: [PATCH] Limit RTM address decode input lengths

---
 rtm.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/rtm.js b/rtm.js
index afe2d636..eb7d20f7 100644
--- a/rtm.js
+++ b/rtm.js
@@ -387,7 +387,12 @@ function sha256(buffer) {
   return crypto.createHash('sha256').update(buffer).digest();
 }
 
+const MAX_BASE58_ADDRESS_LENGTH = 128;
+const MAX_BECH32_ADDRESS_LENGTH = 128;
+
 function decodeBase58Check(value) {
+  if (value.length > MAX_BASE58_ADDRESS_LENGTH) throw new Error('Base58 address too long');
+
   let num = 0n;
   for (const char of value) {
     const index = BASE58_INDEXES.get(char);
@@ -412,6 +417,7 @@ function decodeBase58Check(value) {
 }
 
 function addressToScript(addr) {
+  if (addr.length > MAX_BECH32_ADDRESS_LENGTH) throw new Error('Invalid address ' + addr);
   let decoded;
   try {
     decoded = decodeBase58Check(addr);