github
diff --git a/‎.changeset/patch-fix-allocation-overflow-mcp-domain-merging.md‎
Lines changed: 7 additions & 0 deletions b/‎.changeset/patch-fix-allocation-overflow-mcp-domain-merging.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎pkg/parser/mcp.go‎
Lines changed: 6 additions & 1 deletion b/‎pkg/parser/mcp.go‎
Lines changed: 6 additions & 1 deletion
@@ -32,7 +32,12 @@ func EnsureLocalhostDomains(domains []string) []string {
 		}
 	}
 
-	result := make([]string, 0, len(domains)+4)
+	// CWE-190: Allocation Size Overflow Prevention
+	// Instead of pre-calculating capacity (len(domains)+4), which could overflow
+	// if domains is extremely large, we let Go's append handle capacity growth
+	// automatically. This is safe and efficient for domain arrays which are
+	// typically small in practice.
+	var result []string
 
 	// Always add localhost domains first (with and without port specifications)
 	if !hasLocalhost {
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,12 @@ func EnsureLocalhostDomains(domains []string) []string {`
`32`	`32`	`}`
`33`	`33`	`}`
`34`	`34`
`35`		`- result := make([]string, 0, len(domains)+4)`
	`35`	`+ // CWE-190: Allocation Size Overflow Prevention`
	`36`	`+ // Instead of pre-calculating capacity (len(domains)+4), which could overflow`
	`37`	`+ // if domains is extremely large, we let Go's append handle capacity growth`
	`38`	`+ // automatically. This is safe and efficient for domain arrays which are`
	`39`	`+ // typically small in practice.`
	`40`	`+ var result []string`
`36`	`41`
`37`	`42`	`// Always add localhost domains first (with and without port specifications)`
`38`	`43`	`if !hasLocalhost {`