ayush00git opened a new pull request, #3620:
URL: https://github.com/apache/fory/pull/3620

   ## Why?
   Malicious payloads could specify a massive `fieldCount`, causing the runtime 
to attempt an unbounded memory allocation.
   Deeply nested schema definitions (like a LIST of LIST...) could trigger 
unbounded recursion, exceeding the goroutine stack limit and crashing the 
process.
   
   ## What does this PR do?
   Added a hard limit of 10,000 fields and a buffer-remaining check in 
decodeTypeDef to prevent massive slice allocations.
   Added a depth parameter to `readFieldType` and `readFieldTypeWithFlags`, 
capping nested schema definitions at a maximum depth of 64.
   
   ## Related issues
   #3619 
   
   ## AI Contribution Checklist
   
   <!-- Full requirements and disclosure template:
   
https://github.com/apache/fory/blob/main/AI_POLICY.md#9-contributor-checklist-for-ai-assisted-prs
 -->
   
   - [ ] Substantial AI assistance was used in this PR: `yes` / `no`
   - [ ] If `yes`, I included a completed [AI Contribution 
Checklist](https://github.com/apache/fory/blob/main/AI_POLICY.md#9-contributor-checklist-for-ai-assisted-prs)
 in this PR description and the required `AI Usage Disclosure`.
   - [ ] If `yes`, my PR description includes the required `ai_review` summary 
and screenshot evidence of the final clean AI review results from both fresh 
reviewers on the current PR diff or current HEAD after the latest code changes.
   
   <!-- If substantial AI assistance = `yes`, paste the completed checklist and 
disclosure block here, including the final ai_review summary and screenshot 
evidence from both fresh reviewers on the current PR diff or current HEAD after 
the latest code changes. -->
   
   ## Does this PR introduce any user-facing change?
   
   <!--
   If any user-facing interface changes, please [open an 
issue](https://github.com/apache/fory/issues/new/choose) describing the need to 
do so and update the document if necessary.
   
   Delete section if not applicable.
   -->
   
   - [ ] Does this PR introduce any public API change?
   - [ ] Does this PR introduce any binary protocol compatibility change?
   
   ## Benchmark
   
   <!--
   When the PR has an impact on performance (if you don't know whether the PR 
will have an impact on performance, you can submit the PR first, and if it will 
have impact on performance, the code reviewer will explain it), be sure to 
attach a benchmark data here.
   
   Delete section if not applicable.
   -->
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to