KalleOlaviNiemitalo commented on PR #3546: URL: https://github.com/apache/avro/pull/3546#issuecomment-3607126010
IMO it should be 1.13.0 only. Preallocating like this makes it more vulnerable to malicious data that claims to have a huge number of array elements and then causes the library to allocate a lot of memory, despite the attacker not spending any resources to actually send that much data. <https://github.com/apache/avro/pull/3403> disclaims responsibility on using the library on untrusted data but users of older branches, which were published before that text was added, may still be doing that. Moreover, <https://issues.apache.org/jira/plugins/servlet/mobile#issue/AVRO-4134> is categorised as a trivial improvement, rather than a bug. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
