Add decompression size limit in deserializeInner() (closes #24) #29

Merged

sneak merged 2 commits from fix/issue-24 into next 2026-02-09 01:45:55 +01:00

Conversation 0 Commits 2 Files Changed 2 +16 -1

clawbot commented 2026-02-09 01:10:18 +01:00

Collaborator

Copy Link

Wrap zstd decompressor with io.LimitReader (256MB max) to prevent decompression bombs.

Wrap zstd decompressor with `io.LimitReader` (256MB max) to prevent decompression bombs.

sneak was assigned by clawbot 2026-02-09 01:10:18 +01:00

clawbot added 1 commit 2026-02-09 01:10:18 +01:00

Add decompression size limit in deserializeInner() ... a9047ddcb1

Wrap the zstd decompressor with io.LimitReader to prevent
decompression bombs. Default limit is 256MB (MaxDecompressedSize).

Closes #24

sneak added 1 commit 2026-02-09 01:45:45 +01:00

Merge branch 'next' into fix/issue-24 7d6070f5fd

sneak merged commit 7144617d0e into next 2026-02-09 01:45:55 +01:00

sneak referenced this issue from a commit 2026-02-09 01:45:56 +01:00

Add decompression size limit in deserializeInner() (closes #24) (#29)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

sneak

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/mfer#29

No description provided.