Hi Peter,
Since the filter is passed information about each object created, a
stateful filter can tabulate
the cumulative size itself if that is a concern.
Also, a stateless filter can be constructed to check a combination of
the total number of objects,
depth, array sizes, and stream size. Since arrays are initialized with
data from the stream,
the stream size provides a practical limit.
Roger
On 8/29/16 10:07 PM, Peter Firmstone wrote:
Include original message
A quick thought on the array size filter:
The system creates an array with a size read from the stream.
If Mallory sends a multidimensional array in the stream, then Mallory can
consume all jvm memory without exceeding the array size limit or the stream
data limit.
We also need an array combined length limit.
Thanks,
Peter.
Sent from my Samsung device.
