From 04aa542215d72bdd32c6efba14d333cb5989af76 Mon Sep 17 00:00:00 2001 From: Garvit Singla Date: Thu, 26 Feb 2026 01:28:49 +0530 Subject: [PATCH 1/6] Forced the limits of max size --- cpp/fory/serialization/collection_serializer.h | 8 ++++++++ cpp/fory/serialization/config.h | 5 +++++ cpp/fory/serialization/map_serializer.h | 4 ++++ 3 files changed, 17 insertions(+) diff --git a/cpp/fory/serialization/collection_serializer.h b/cpp/fory/serialization/collection_serializer.h index a780d1c0c1..d2a1909dcb 100644 --- a/cpp/fory/serialization/collection_serializer.h +++ b/cpp/fory/serialization/collection_serializer.h @@ -394,6 +394,10 @@ template inline Container read_collection_data_slow(ReadContext &ctx, uint32_t length) { Container result; if constexpr (has_reserve_v) { + if(length > ctx.config().max_collection_size) { + ctx.set_error(Error::invalid_data); + return result; + } result.reserve(length); } @@ -717,6 +721,10 @@ struct Serializer< } std::vector result; + if(length > ctx.config().max_collection_size) { + ctx.set_error(Error::invalid_data); + return result; + } result.reserve(length); // Fast path: no tracking, no nulls, elements have declared type diff --git a/cpp/fory/serialization/config.h b/cpp/fory/serialization/config.h index d471c39074..0dbe06f211 100644 --- a/cpp/fory/serialization/config.h +++ b/cpp/fory/serialization/config.h @@ -52,6 +52,11 @@ struct Config { /// When enabled, avoids duplicating shared objects and handles cycles. bool track_ref = true; + //max limits fot map,lists and collections + uint32_t max_string_length = 64 * 1024 * 1024; // 64MB default max string length + uint32_t max_collection_size = 10 * 1000 * 1000; // 1M default max collection size + uint32_t max_map_size = 1 * 1000 * 1000; // 1M default max map size + /// Default constructor with sensible defaults Config() = default; }; diff --git a/cpp/fory/serialization/map_serializer.h b/cpp/fory/serialization/map_serializer.h index 5bd9bea51b..0742562b39 100644 --- a/cpp/fory/serialization/map_serializer.h +++ b/cpp/fory/serialization/map_serializer.h @@ -539,6 +539,10 @@ inline MapType read_map_data_fast(ReadContext &ctx, uint32_t length) { "Fast path is for non-shared-ref types only"); MapType result; + if(length > ctx.config().max_map_size) { + ctx.set_error(Error::invalid_data); + return result; + } MapReserver::reserve(result, length); if (length == 0) { From 9d3075992214806c347f31e6a1548fac581783c6 Mon Sep 17 00:00:00 2001 From: Garvit Singla Date: Thu, 26 Feb 2026 12:14:30 +0530 Subject: [PATCH 2/6] Testing --- cpp/fory/serialization/collection_serializer.h | 8 ++++---- cpp/fory/serialization/map_serializer.h | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cpp/fory/serialization/collection_serializer.h b/cpp/fory/serialization/collection_serializer.h index d2a1909dcb..c387e6143e 100644 --- a/cpp/fory/serialization/collection_serializer.h +++ b/cpp/fory/serialization/collection_serializer.h @@ -394,8 +394,8 @@ template inline Container read_collection_data_slow(ReadContext &ctx, uint32_t length) { Container result; if constexpr (has_reserve_v) { - if(length > ctx.config().max_collection_size) { - ctx.set_error(Error::invalid_data); + if(length > ctx.config_.max_collection_size) { + ctx.set_error(Error::invalid_data("invalid collection size")); return result; } result.reserve(length); @@ -721,8 +721,8 @@ struct Serializer< } std::vector result; - if(length > ctx.config().max_collection_size) { - ctx.set_error(Error::invalid_data); + if(length > ctx.config_.max_collection_size) { + ctx.set_error(Error::invalid_data("invalid collection size")); return result; } result.reserve(length); diff --git a/cpp/fory/serialization/map_serializer.h b/cpp/fory/serialization/map_serializer.h index 0742562b39..696a174e8f 100644 --- a/cpp/fory/serialization/map_serializer.h +++ b/cpp/fory/serialization/map_serializer.h @@ -539,8 +539,8 @@ inline MapType read_map_data_fast(ReadContext &ctx, uint32_t length) { "Fast path is for non-shared-ref types only"); MapType result; - if(length > ctx.config().max_map_size) { - ctx.set_error(Error::invalid_data); + if(length > ctx.config_.max_map_size) { + ctx.set_error(Error::invalid_data("Invalid map size")); return result; } MapReserver::reserve(result, length); From 4db37db16301c3c15571923a304e13913e554961 Mon Sep 17 00:00:00 2001 From: Garvit Singla Date: Thu, 26 Feb 2026 12:33:47 +0530 Subject: [PATCH 3/6] Fixed: Made getter methods in context to check max size limits --- cpp/fory/serialization/collection_serializer.h | 4 ++-- cpp/fory/serialization/context.h | 6 ++++++ cpp/fory/serialization/map_serializer.h | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/cpp/fory/serialization/collection_serializer.h b/cpp/fory/serialization/collection_serializer.h index c387e6143e..7516c36e01 100644 --- a/cpp/fory/serialization/collection_serializer.h +++ b/cpp/fory/serialization/collection_serializer.h @@ -394,7 +394,7 @@ template inline Container read_collection_data_slow(ReadContext &ctx, uint32_t length) { Container result; if constexpr (has_reserve_v) { - if(length > ctx.config_.max_collection_size) { + if(length > ctx.max_collection_size()) { ctx.set_error(Error::invalid_data("invalid collection size")); return result; } @@ -721,7 +721,7 @@ struct Serializer< } std::vector result; - if(length > ctx.config_.max_collection_size) { + if(length > ctx.max_collection_size()) { ctx.set_error(Error::invalid_data("invalid collection size")); return result; } diff --git a/cpp/fory/serialization/context.h b/cpp/fory/serialization/context.h index 18e5e68bd5..683f6c2f6d 100644 --- a/cpp/fory/serialization/context.h +++ b/cpp/fory/serialization/context.h @@ -359,6 +359,12 @@ class WriteContext { /// ``` class ReadContext { public: + /// get maximum allowed collection size. + inline uint32_t max_collection_size() const { return config_->max_collection_size; } + + /// get maximum allowed map size. + inline uint32_t max_map_size() const { return config_->max_map_size; } + /// Construct read context with configuration and type resolver. /// Takes ownership of the type resolver. explicit ReadContext(const Config &config, diff --git a/cpp/fory/serialization/map_serializer.h b/cpp/fory/serialization/map_serializer.h index 696a174e8f..32b4d1c5d8 100644 --- a/cpp/fory/serialization/map_serializer.h +++ b/cpp/fory/serialization/map_serializer.h @@ -539,7 +539,7 @@ inline MapType read_map_data_fast(ReadContext &ctx, uint32_t length) { "Fast path is for non-shared-ref types only"); MapType result; - if(length > ctx.config_.max_map_size) { + if(length > ctx.max_map_size()) { ctx.set_error(Error::invalid_data("Invalid map size")); return result; } From d18f77474c4119064f97e1c93cd01c38848043d8 Mon Sep 17 00:00:00 2001 From: Garvit Singla Date: Thu, 26 Feb 2026 12:44:23 +0530 Subject: [PATCH 4/6] feat(cpp): add size gaurdrails on maps,lists --- cpp/fory/serialization/collection_serializer.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/fory/serialization/collection_serializer.h b/cpp/fory/serialization/collection_serializer.h index 7516c36e01..0888e5eaed 100644 --- a/cpp/fory/serialization/collection_serializer.h +++ b/cpp/fory/serialization/collection_serializer.h @@ -394,7 +394,7 @@ template inline Container read_collection_data_slow(ReadContext &ctx, uint32_t length) { Container result; if constexpr (has_reserve_v) { - if(length > ctx.max_collection_size()) { + if(length > ctx.max_collection_size() ) { ctx.set_error(Error::invalid_data("invalid collection size")); return result; } From 002be9c62b88757821ad4b5c56c1f5dea512d081 Mon Sep 17 00:00:00 2001 From: Garvit Singla Date: Thu, 26 Feb 2026 12:55:25 +0530 Subject: [PATCH 5/6] feat(cpp): add size gaurdrails on maps,lists --- cpp/fory/serialization/collection_serializer.h | 4 ++-- cpp/fory/serialization/context.h | 6 ++++-- cpp/fory/serialization/map_serializer.h | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/cpp/fory/serialization/collection_serializer.h b/cpp/fory/serialization/collection_serializer.h index 0888e5eaed..4b138b8d34 100644 --- a/cpp/fory/serialization/collection_serializer.h +++ b/cpp/fory/serialization/collection_serializer.h @@ -394,7 +394,7 @@ template inline Container read_collection_data_slow(ReadContext &ctx, uint32_t length) { Container result; if constexpr (has_reserve_v) { - if(length > ctx.max_collection_size() ) { + if (length > ctx.max_collection_size()) { ctx.set_error(Error::invalid_data("invalid collection size")); return result; } @@ -721,7 +721,7 @@ struct Serializer< } std::vector result; - if(length > ctx.max_collection_size()) { + if (length > ctx.max_collection_size()) { ctx.set_error(Error::invalid_data("invalid collection size")); return result; } diff --git a/cpp/fory/serialization/context.h b/cpp/fory/serialization/context.h index 683f6c2f6d..cd567de7eb 100644 --- a/cpp/fory/serialization/context.h +++ b/cpp/fory/serialization/context.h @@ -360,11 +360,13 @@ class WriteContext { class ReadContext { public: /// get maximum allowed collection size. - inline uint32_t max_collection_size() const { return config_->max_collection_size; } + inline uint32_t max_collection_size() const { + return config_->max_collection_size; + } /// get maximum allowed map size. inline uint32_t max_map_size() const { return config_->max_map_size; } - + /// Construct read context with configuration and type resolver. /// Takes ownership of the type resolver. explicit ReadContext(const Config &config, diff --git a/cpp/fory/serialization/map_serializer.h b/cpp/fory/serialization/map_serializer.h index 32b4d1c5d8..9ea0ae0bc9 100644 --- a/cpp/fory/serialization/map_serializer.h +++ b/cpp/fory/serialization/map_serializer.h @@ -539,7 +539,7 @@ inline MapType read_map_data_fast(ReadContext &ctx, uint32_t length) { "Fast path is for non-shared-ref types only"); MapType result; - if(length > ctx.max_map_size()) { + if (length > ctx.max_map_size()) { ctx.set_error(Error::invalid_data("Invalid map size")); return result; } From 077a581cac8796dac4feae49e356d6a8c3d338ea Mon Sep 17 00:00:00 2001 From: Garvit Singla Date: Thu, 26 Feb 2026 13:00:07 +0530 Subject: [PATCH 6/6] style: apply code style and formatting fixes from lint --- cpp/fory/serialization/config.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/cpp/fory/serialization/config.h b/cpp/fory/serialization/config.h index 0dbe06f211..719b482c88 100644 --- a/cpp/fory/serialization/config.h +++ b/cpp/fory/serialization/config.h @@ -52,9 +52,11 @@ struct Config { /// When enabled, avoids duplicating shared objects and handles cycles. bool track_ref = true; - //max limits fot map,lists and collections - uint32_t max_string_length = 64 * 1024 * 1024; // 64MB default max string length - uint32_t max_collection_size = 10 * 1000 * 1000; // 1M default max collection size + // max limits fot map,lists and collections + uint32_t max_string_length = + 64 * 1024 * 1024; // 64MB default max string length + uint32_t max_collection_size = + 10 * 1000 * 1000; // 1M default max collection size uint32_t max_map_size = 1 * 1000 * 1000; // 1M default max map size /// Default constructor with sensible defaults