Skip to content

fix: reject oversized string/list/map sizes during decode#88

Merged
xiaost merged 1 commit into
mainfrom
fix/reject-corrupted-data
Jun 5, 2026
Merged

fix: reject oversized string/list/map sizes during decode#88
xiaost merged 1 commit into
mainfrom
fix/reject-corrupted-data

Conversation

@xiaost

@xiaost xiaost commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Decoded string/[]byte/list/map lengths that exceed the remaining buffer can not possibly be valid, so allocating for them risks huge allocations or OOM on corrupted data. Detect these before allocating and return a thrift SIZE_LIMIT protocol exception, distinct from io.ErrShortBuffer.

Also guard the size-header reads themselves: a buffer too short to even hold the length header now returns io.ErrShortBuffer instead of panicking with an index out of range.

@xiaost
fix: reject oversized string/list/map sizes during decode
54778ff 
Decoded string/[]byte/list/map lengths that exceed the remaining buffer
can not possibly be valid, so allocating for them risks huge allocations
or OOM on corrupted data. Detect these before allocating and return a
thrift SIZE_LIMIT protocol exception, distinct from io.ErrShortBuffer.

Also guard the size-header reads themselves: a buffer too short to even
hold the length header now returns io.ErrShortBuffer instead of panicking
with an index out of range.
@xiaost xiaost merged commit 9d391c7 into main Jun 5, 2026
18 checks passed
@xiaost xiaost deleted the fix/reject-corrupted-data branch June 5, 2026 08:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@YangruiEmma YangruiEmma YangruiEmma approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xiaost @YangruiEmma