yash-agarwa-l opened a new pull request, #3434:
URL: https://github.com/apache/fory/pull/3434
## Why?
Untrusted payloads can encode arbitrarily large collection/binary lengths,
causing pre-allocation of huge buffers and OOM crashes before any
elements are even deserialized.
## What does this PR do?
- Adds two nullable config options `maxBinarySize` and `maxCollectionSize`
to `ForyConfig` (defaults to `null` = unlimited, fully
backward-compatible).
- Threads `ForyConfig` into `DeserializationContext` so serializers can
access limits at read time.
- Adds `DeserializationSizeException` following existing exception
conventions.
- Enforces `maxCollectionSize` in `ListSerializer`, `SetSerializer`, and
`MapSerializer` before pre-allocation.
- Enforces `maxBinarySize` in `NumericArraySerializer` for `ObjType.BINARY`
before buffer copy.
- Adds 15 test cases covering within-limit, at-limit, exceeded, empty,
and null (unlimited) scenarios for lists, sets, maps, and binary.
## Related issues
Closes #3415.
## Does this PR introduce any user-facing change?
- [x] Does this PR introduce any public API change?
- [ ] Does this PR introduce any binary protocol compatibility change?
## Benchmark
N/A — guard checks are a single null-check + comparison per
collection/binary read; no measurable performance impact.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
