feat: Use a bounded reader to read the encrypted signer state from SignerDB

libsigner/src/messages.rs

@@ -38,6 +38,7 @@ use blockstack_lib::net::api::postblock_proposal::{
     BlockValidateReject, BlockValidateResponse, ValidateRejectCode,
 };
 use blockstack_lib::util_lib::boot::boot_code_id;
+use clarity::util::retry::BoundReader;
 use clarity::vm::types::serialization::SerializationError;
 use clarity::vm::types::QualifiedContractIdentifier;
 use hashbrown::{HashMap, HashSet};
@@ -403,7 +404,12 @@ impl StacksMessageCodec for SignerMessage {
                 }
             }
             SignerMessageTypePrefix::EncryptedSignerState => {
-                let encrypted_state = read_next::<_, _>(fd)?;
+                // Typically the size of the signer state is much smaller, but in the fully degenerate case the size of dkg shares is
+                // (2800 + 2800) * 32 (threshold * shares * 32).
+                // The signer state holds some additional information, so we're adding a factor 4 to have some margin
+                let max_encrypted_state_size = (2800 + 2800) * 32 * 4;
+                let mut bound_reader = BoundReader::from_reader(fd, max_encrypted_state_size);
+                let encrypted_state = read_next::<_, _>(&mut bound_reader)?;
                 SignerMessage::EncryptedSignerState(encrypted_state)
             }
         };