Currently, the implementation trusts the provided message and pre-alloc bytes before reading the buffer.

The implementation should either pre-alloc if, and only if, the reader is guaranteed to have enough bytes, or pre-alloc smaller amounts.

Naive pre-alloc may allow malicious users to DDoS