SURYAS1306 opened a new pull request, #3438:
URL: https://github.com/apache/fory/pull/3438
## Why?
Currently there are no configurable limits for payload-driven lengths in
Java deserialization.
Untrusted binary/map/list lengths can trigger large allocations and memory
pressure.
This PR introduces configurable guardrails to prevent excessive memory
allocation during deserialization.
---
## What does this PR do?
- Adds two runtime configuration options:
- `maxBinarySize`
- `maxCollectionSize`
- Enforces:
- `maxCollectionSize` for:
- Collection reads
- Map reads (entry count)
- Primitive numeric list reads
- `maxBinarySize` for:
- Raw byte list reads (`Int8List`, `Uint8List`)
- String reads are intentionally excluded as specified in issue #3411.
- Throws `IllegalArgumentException` when configured limits are exceeded.
- No behavior change when limits are unset or set to `0`.
All existing tests pass.
---
## Related issues
Fixes #3411
---
## Does this PR introduce any user-facing change?
- [x] Does this PR introduce any public API change?
- [ ] Does this PR introduce any binary protocol compatibility change?
This introduces new configuration options but does not modify the binary
protocol.
---
## Benchmark
Not applicable. This change does not modify serialization logic or
performance-critical paths beyond adding guard checks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
