chaokunyang commented on code in PR #3429:
URL: https://github.com/apache/fory/pull/3429#discussion_r2867123859
##########
python/pyfory/serializer.py:
##########
@@ -549,7 +549,7 @@ def write(self, buffer, value):
def read(self, buffer):
if not self.fory.is_peer_out_of_band_enabled:
- return buffer.read_bytes_and_size()
+ return buffer.read_bytes_and_size(self.fory.max_binary_size)
Review Comment:
[P1] max_binary_size is bypassed when peer out-of-band mode is enabled
In `BytesSerializer.read`, the limit is only enforced on the `not
self.fory.is_peer_out_of_band_enabled` branch. When peer out-of-band mode is
enabled (`deserialize(..., buffers=...)`) and the payload marks bytes as
in-band, execution goes through `read_buffer_object` with no size check, so
oversized bytes are accepted despite `max_binary_size`.
Repro:
- Serialize bytes with `buffer_callback` returning `True` (in-band OOB
protocol path).
- Deserialize with `Fory(max_binary_size=10)` and `buffers=iter(())`.
- A 100-byte payload deserializes successfully instead of raising.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
