masumi-ryugo commented on PR #9868: URL: https://github.com/apache/arrow-rs/pull/9868#issuecomment-4362206933
Thanks for the review @etseidl, and thanks for running the metadata bench — happy that the `remaining_bytes()` clamp doesn't show up in the numbers. I've filed #9874 as the umbrella for both this immediate fix and the broader thrift-parser hardening you mentioned. PR description here is updated to reference it. Happy to do further fuzzing passes against specific suspected hotspots in `parquet_thrift` if you have particular spots in mind — otherwise I'll do a sweep of remaining `with_capacity`/`reserve` call sites on attacker-controlled paths and either fold those into this PR or file follow-ups under #9874, whichever you prefer. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
