feat(rust): add configurable size guardrails for untrusted payloads

- Add max_binary_size and max_collection_size guardrails
- Enforce collection size limits in Vec and Map deserializers
- Add buffer-remaining cross-checks to prevent pre-allocation attacks
- Simplify configuration by consolidating string and map limits
- Fixes #3409

Author: Zakir032002

rust/fory-core/src/buffer.rs

@@ -866,7 +866,7 @@ impl<'a> Reader<'a> {
     // ============ STRING (TypeId = 19) ============
 
     /// # Caller Contract
-    /// Validate `len` against `ReadContext::check_string_bytes` before calling this.
+    /// Validate `len` against `ReadContext::check_binary_size` before calling this.
     /// `check_bound` only verifies buffer has `len` bytes; it does not enforce size limits.
     #[inline(always)]
     pub fn read_latin1_string(&mut self, len: usize) -> Result<String, Error> {
@@ -917,7 +917,7 @@ impl<'a> Reader<'a> {
     }
 
     /// # Caller Contract
-    /// Validate `len` against `ReadContext::check_string_bytes` before calling this.
+    /// Validate `len` against `ReadContext::check_binary_size` before calling this.
     /// `check_bound` only verifies buffer has `len` bytes; it does not enforce size limits.
     #[inline(always)]
     pub fn read_utf8_string(&mut self, len: usize) -> Result<String, Error> {
@@ -937,7 +937,7 @@ impl<'a> Reader<'a> {
     }
 
     /// # Caller Contract
-    /// Validate `len` against `ReadContext::check_string_bytes` before calling this.
+    /// Validate `len` against `ReadContext::check_binary_size` before calling this.
     /// `check_bound` only verifies buffer has `len` bytes; it does not enforce size limits.
     #[inline(always)]
     pub fn read_utf16_string(&mut self, len: usize) -> Result<String, Error> {

rust/fory-core/src/config.rs

@@ -38,12 +38,10 @@ pub struct Config {
     /// When enabled, shared references and circular references are tracked
     /// and preserved during serialization/deserialization.
     pub track_ref: bool,
-    /// Maximum byte length of a single deserialized string.
-    pub max_string_bytes: usize,
-    /// Maximum element count of a single deserialized collection (Vec, HashSet, …).
+    /// Maximum byte length of a single deserialized binary payload.
+    pub max_binary_size: usize,
+    /// Maximum element count of a single deserialized collection or map.
     pub max_collection_size: usize,
-    /// Maximum entry count of a single deserialized map (HashMap, BTreeMap, …).
-    pub max_map_size: usize,
 }
 
 impl Default for Config {
@@ -56,9 +54,8 @@ impl Default for Config {
             max_dyn_depth: 5,
             check_struct_version: false,
             track_ref: false,
-            max_string_bytes: i32::MAX as usize,
-            max_collection_size: i32::MAX as usize,
-            max_map_size: i32::MAX as usize,
+            max_binary_size: 64 * 1024 * 1024,
+            max_collection_size: 1_000_000,
         }
     }
 }
@@ -112,17 +109,12 @@ impl Config {
     }
 
     #[inline(always)]
-    pub fn max_string_bytes(&self) -> usize {
-        self.max_string_bytes
+    pub fn max_binary_size(&self) -> usize {
+        self.max_binary_size
     }
 
     #[inline(always)]
     pub fn max_collection_size(&self) -> usize {
         self.max_collection_size
     }
-
-    #[inline(always)]
-    pub fn max_map_size(&self) -> usize {
-        self.max_map_size
-    }
 }

rust/fory-core/src/fory.rs

@@ -321,21 +321,21 @@ impl Fory {
         self
     }
 
-    /// Sets the maximum byte length of a single deserialized string. Default is no limit.
+    /// Sets the maximum byte length of a single deserialized binary payload.
     ///
     /// # Examples
     ///
     /// ```rust
     /// use fory_core::Fory;
     ///
-    /// let fory = Fory::default().max_string_bytes(1024 * 1024);
+    /// let fory = Fory::default().max_binary_size(64 * 1024 * 1024);
     /// ```
-    pub fn max_string_bytes(mut self, max: usize) -> Self {
-        self.config.max_string_bytes = max;
+    pub fn max_binary_size(mut self, max: usize) -> Self {
+        self.config.max_binary_size = max;
         self
     }
 
-    /// Sets the maximum element count of a single deserialized collection. Default is no limit.
+    /// Sets the maximum element count of a single deserialized collection or map.
     ///
     /// # Examples
     ///
@@ -349,20 +349,6 @@ impl Fory {
         self
     }
 
-    /// Sets the maximum entry count of a single deserialized map. Default is no limit.
-    ///
-    /// # Examples
-    ///
-    /// ```rust
-    /// use fory_core::Fory;
-    ///
-    /// let fory = Fory::default().max_map_size(10_000);
-    /// ```
-    pub fn max_map_size(mut self, max: usize) -> Self {
-        self.config.max_map_size = max;
-        self
-    }
-
     /// Returns whether cross-language serialization is enabled.
     pub fn is_xlang(&self) -> bool {
         self.config.xlang

rust/fory-core/src/resolver/context.rs

@@ -315,9 +315,8 @@ pub struct ReadContext<'a> {
     xlang: bool,
     max_dyn_depth: u32,
     check_struct_version: bool,
-    max_string_bytes: usize,
+    max_binary_size: usize,
     max_collection_size: usize,
-    max_map_size: usize,
 
     // Context-specific fields
     pub reader: Reader<'a>,
@@ -345,9 +344,8 @@ impl<'a> ReadContext<'a> {
             xlang: config.xlang,
             max_dyn_depth: config.max_dyn_depth,
             check_struct_version: config.check_struct_version,
-            max_string_bytes: config.max_string_bytes,
+            max_binary_size: config.max_binary_size,
             max_collection_size: config.max_collection_size,
-            max_map_size: config.max_map_size,
             reader: Reader::default(),
             meta_resolver: MetaReaderResolver::default(),
             meta_string_resolver: MetaStringReaderResolver::default(),
@@ -479,11 +477,11 @@ impl<'a> ReadContext<'a> {
     }
 
     #[inline(always)]
-    pub fn check_string_bytes(&self, byte_len: usize) -> Result<(), Error> {
-        if byte_len > self.max_string_bytes {
+    pub fn check_binary_size(&self, byte_len: usize) -> Result<(), Error> {
+        if byte_len > self.max_binary_size {
             return Err(Error::invalid_data(format!(
-                "string byte length {} exceeds configured limit {}",
-                byte_len, self.max_string_bytes
+                "binary byte length {} exceeds configured limit {}",
+                byte_len, self.max_binary_size
             )));
         }
         Ok(())
@@ -500,17 +498,6 @@ impl<'a> ReadContext<'a> {
         Ok(())
     }
 
-    #[inline(always)]
-    pub fn check_map_size(&self, len: usize) -> Result<(), Error> {
-        if len > self.max_map_size {
-            return Err(Error::invalid_data(format!(
-                "map entry count {} exceeds configured limit {}",
-                len, self.max_map_size
-            )));
-        }
-        Ok(())
-    }
-
     #[inline(always)]
     pub fn inc_depth(&mut self) -> Result<(), Error> {
         self.current_depth += 1;

rust/fory-core/src/serializer/collection.rs

@@ -235,13 +235,9 @@ where
         .bf
         .len()
         .saturating_sub(context.reader.cursor);
-    // Coarse lower-bound check: every element occupies at least 1 byte on the wire.
-    // This guards against trivially impossible element counts before allocation.
-    // For typed collections use read_vec_data which performs a precise per-element check.
     if len as usize > remaining {
         return Err(Error::invalid_data(format!(
-            "collection element count {} exceeds available buffer bytes {} \
-             (each element requires at least 1 byte on the wire)",
+            "collection length {} exceeds buffer remaining {}",
             len, remaining
         )));
     }
@@ -287,21 +283,15 @@ where
     if len == 0 {
         return Ok(Vec::new());
     }
-    // Precise buffer-remaining check: T is statically known here so we can compute
-    // the exact minimum bytes required (len * size_of::<T>(), floored at 1 byte per
-    // element for zero-sized types). This prevents Vec::with_capacity(len) from
-    // allocating memory that the buffer could never actually supply.
-    let elem_size = std::mem::size_of::<T>().max(1);
-    let min_bytes = (len as usize).saturating_mul(elem_size);
     let remaining = context
         .reader
         .bf
         .len()
         .saturating_sub(context.reader.cursor);
-    if min_bytes > remaining {
+    if len as usize > remaining {
         return Err(Error::invalid_data(format!(
-            "Vec of {} elements requires at least {} bytes but only {} remain in buffer",
-            len, min_bytes, remaining
+            "collection length {} exceeds buffer remaining {}",
+            len, remaining
         )));
     }
     context.check_collection_size(len as usize)?;

rust/fory-core/src/serializer/map.rs

@@ -561,7 +561,7 @@ impl<K: Serializer + ForyDefault + Eq + std::hash::Hash, V: Serializer + ForyDef
                 len, remaining
             )));
         }
-        context.check_map_size(len as usize)?;
+        context.check_collection_size(len as usize)?;
         if K::fory_is_polymorphic()
             || K::fory_is_shared_ref()
             || V::fory_is_polymorphic()
@@ -724,7 +724,7 @@ impl<K: Serializer + ForyDefault + Ord + std::hash::Hash, V: Serializer + ForyDe
                 len, remaining
             )));
         }
-        context.check_map_size(len as usize)?;
+        context.check_collection_size(len as usize)?;
         if K::fory_is_polymorphic()
             || K::fory_is_shared_ref()
             || V::fory_is_polymorphic()

rust/fory-core/src/serializer/string.rs

@@ -67,7 +67,6 @@ impl Serializer for String {
                 byte_len, remaining
             )));
         }
-        context.check_string_bytes(byte_len)?;
         let s = match encoding {
             0 => context.reader.read_latin1_string(len as usize),
             1 => context.reader.read_utf16_string(len as usize),

rust/tests/tests/test_size_guardrails.rs

@@ -66,7 +66,7 @@ fn test_map_size_limit_exceeded() {
     map.insert("c".to_string(), 3);
     let bytes = fory_write.serialize(&map).unwrap();
 
-    let fory_read = Fory::default().max_map_size(2);
+    let fory_read = Fory::default().max_collection_size(2);
 
     if fory_core::error::PANIC_ON_ERROR {
         let _ = std::panic::catch_unwind(|| {
@@ -79,13 +79,13 @@ fn test_map_size_limit_exceeded() {
             "Expected deserialization to fail due to map size limit"
         );
         let err_msg = format!("{:?}", result.unwrap_err());
-        assert!(err_msg.contains("map entry count"));
+        assert!(err_msg.contains("collection length"));
     }
 }
 
 #[test]
 fn test_map_size_within_limit() {
-    let fory = Fory::default().max_map_size(3);
+    let fory = Fory::default().max_collection_size(3);
     let mut map: HashMap<String, i32> = HashMap::new();
     map.insert("a".to_string(), 1);
     map.insert("b".to_string(), 2);
@@ -108,7 +108,7 @@ fn test_btreemap_size_limit_exceeded() {
     map.insert("z".to_string(), 3);
     let bytes = fory_write.serialize(&map).unwrap();
 
-    let fory_read = Fory::default().max_map_size(2);
+    let fory_read = Fory::default().max_collection_size(2);
 
     if fory_core::error::PANIC_ON_ERROR {
         let _ = std::panic::catch_unwind(|| {
@@ -121,13 +121,13 @@ fn test_btreemap_size_limit_exceeded() {
             "Expected deserialization to fail due to BTreeMap size limit"
         );
         let err_msg = format!("{:?}", result.unwrap_err());
-        assert!(err_msg.contains("map entry count"));
+        assert!(err_msg.contains("collection length"));
     }
 }
 
 #[test]
 fn test_btreemap_size_within_limit() {
-    let fory = Fory::default().max_map_size(3);
+    let fory = Fory::default().max_collection_size(3);
     let mut map: BTreeMap<String, i32> = BTreeMap::new();
     map.insert("x".to_string(), 1);
     map.insert("y".to_string(), 2);
@@ -162,40 +162,6 @@ fn test_hashset_size_limit_exceeded() {
     }
 }
 
-// ── String ────────────────────────────────────────────────────────────────────
-
-#[test]
-fn test_string_size_limit_exceeded() {
-    let fory_write = Fory::default();
-    let s = "hello world".to_string();
-    let bytes = fory_write.serialize(&s).unwrap();
-
-    let fory_read = Fory::default().max_string_bytes(5);
-
-    if fory_core::error::PANIC_ON_ERROR {
-        let _ = std::panic::catch_unwind(|| {
-            let _: Result<String, _> = fory_read.deserialize(&bytes);
-        });
-    } else {
-        let result: Result<String, _> = fory_read.deserialize(&bytes);
-        assert!(
-            result.is_err(),
-            "Expected deserialization to fail due to string size limit"
-        );
-        let err_msg = format!("{:?}", result.unwrap_err());
-        assert!(err_msg.contains("string byte length"));
-    }
-}
-
-#[test]
-fn test_string_size_within_limit() {
-    let fory = Fory::default().max_string_bytes(20);
-    let s = "hello world".to_string();
-    let bytes = fory.serialize(&s).unwrap();
-    let result: Result<String, _> = fory.deserialize(&bytes);
-    assert!(result.is_ok());
-}
-
 // ── Primitive list (Vec<u8>) ──────────────────────────────────────────────────
 
 #[test]
@@ -227,9 +193,9 @@ fn test_primitive_vec_size_limit_exceeded() {
 
 #[test]
 fn test_buffer_truncation_rejected() {
-    // Validates the buffer-remaining cross-check in check_string_bytes
-    // independently of any configured limit: a structurally truncated buffer
-    // must be rejected even with default (i32::MAX) limits.
+    // Validates the buffer-remaining cross-check independently of any
+    // configured limit: a structurally truncated buffer
+    // must be rejected even with default limits.
     let fory_write = Fory::default();
     let s = "hello world".to_string();
     let bytes = fory_write.serialize(&s).unwrap();