harden against dos with crafted input by limiting reserved vec/map size

src/demo/packet/datatable.rs

@@ -9,6 +9,7 @@ use parse_display::{Display, FromStr};
 use serde::{Deserialize, Serialize};
 use std::borrow::Borrow;
 use std::cell::{Cell, RefCell};
+use std::cmp::min;
 use std::fmt;
 use std::num::ParseIntError;
 use std::ops::Deref;
@@ -83,7 +84,7 @@ impl ParseSendTable {
         let prop_count = stream.read_int(10)?;
 
         let mut array_element_prop = None;
-        let mut props = Vec::with_capacity(prop_count);
+        let mut props = Vec::with_capacity(min(prop_count, 128));
 
         for prop_index in 0..prop_count {
             let definition_index = SendPropDefinitionIndex::new(table_index, prop_index);

src/demo/packet/stringtable.rs

@@ -4,6 +4,7 @@ use bitstream_reader::{BitRead, LittleEndian};
 
 use crate::demo::message::stringtable::StringTableMeta;
 use crate::{Parse, ParseError, ParserState, ReadResult, Result, Stream};
+use std::cmp::min;
 
 #[derive(BitRead, Clone, Copy, Debug)]
 pub struct FixedUserDataSize {
@@ -36,7 +37,7 @@ impl BitRead<LittleEndian> for StringTable {
     fn read(stream: &mut Stream) -> ReadResult<Self> {
         let name = stream.read()?;
         let entry_count = stream.read_int(16)?;
-        let mut entries = Vec::with_capacity(entry_count as usize);
+        let mut entries = Vec::with_capacity(min(entry_count, 128) as usize);
 
         for index in 0..entry_count {
             entries.push((index, stream.read()?))