# Anchor IDL type parser panic on malformed array types (DoS)

**Project:** `solana-foundation/anchor`

**Component:** `idl/spec` (`IdlType::from_str`)

**Severity (practical):** Low–Medium (tooling DoS / crash)

## Summary
Anchor’s IDL type string parser accepted array-like strings starting with `[` and then used `unwrap()` while splitting the "array" into `<type>;<len>`.

Malformed inputs such as `"[u832]"` (missing `; <len>`) caused a **panic**, crashing any consumer that parses untrusted IDL type strings.

This is a denial-of-service vector for tools that ingest IDLs from:
- third-party repos
- registries
- user-provided JSON
- CI pipelines

## Impact
Any process invoking `IdlType::from_str` on untrusted input could be crashed deterministically.

Typical affected surfaces:
- IDL verification / linting pipelines
- indexers / codegen services
- build scripts that parse IDL types

Notably, this is **not an on-chain vulnerability** (it affects off-chain tooling), but it is still security-relevant because it enables reliable crashes of automation that handles external IDLs.

## Root cause
In `idl/spec/src/lib.rs`, the array parsing helper did:

- `inner.rsplit_once(';').unwrap()`
- `IdlType::from_str(raw_type).unwrap()`

Both unwraps can panic for malformed inputs.

## Reproduction (pre-fix)
Minimal repro (Rust):

```rust
use anchor_idl_spec::IdlType;

fn main() {
    // Missing '; <len>' — used to panic.
    let _ = IdlType::from_str("[u832]");
}
```

Observed behavior (pre-fix): panic due to `rsplit_once(';').unwrap()`.

## Fix
Replace the `unwrap()` calls in the array parser with error-returning logic:
- validate presence of `;` separator
- parse nested arrays safely
- return a structured `anyhow::Error` instead of crashing

Add regression tests asserting invalid array strings return `Err` (and never panic).

## Patch / commit
- Commit: `cfe393bf43afe64c07963961938bc097de880d8d`
- Patch file: `superteam/patches/0001-idl-spec-avoid-panic-when-parsing-invalid-array-type.patch`

## Verification
Run unit tests for the affected crate:

```bash
cd anchor/idl/spec
cargo test
```

After fix: all tests pass, including new tests:
- `invalid_array_missing_length_separator_returns_error`
- `invalid_array_empty_length_returns_error`

## Notes
This fix is intentionally minimal-scope:
- no behavior changes for valid inputs
- only converts crashes into typed errors for invalid/malformed IDL type strings

## Disclosure
Coordinated via public patch submission (no secrets). No exploitation beyond crash reproduction.