[C++] configurable size guardrails for untrusted payloads

[chaokunyang]

Feature Request

Add configurable deserialization size guardrails in Fory C++ for untrusted payloads.

Is your feature request related to a problem? Please describe

There are currently no configurable limits for payload-driven lengths. Untrusted binary/map/list lengths can trigger large allocations and memory pressure.

Describe the solution you'd like

Add two configurable size limits to C++ deserialization and enforce them in relevant preallocation-sensitive read paths.

Resolve task:

• Add only two runtime guardrail options: max_binary_size and max_collection_size.
• Enforce max_collection_size for collection and map reads (map uses entry count).
• Enforce max_binary_size for binary byte-length reads.
• Do not add string size checks; string reads are excluded from this requirement.
• Return/throw a deserialization error when a configured limit is exceeded.

Describe alternatives you've considered

Relying only on process-level memory limits and runtime/allocator behavior. This is late-failing and not protocol-aware.

Additional context

Medium: no configurable size guardrails for untrusted payloads (binary/map/list lengths can drive large allocations).

Related locations:

• cpp/fory/serialization/config.h:31
• cpp/fory/serialization/collection_serializer.h:396
• cpp/fory/serialization/collection_serializer.h:719
• cpp/fory/serialization/map_serializer.h:541

[shivendra-dev54]

@chaokunyang
Hi, I noticed that the previous PR (#3422) was closed.

If the issue is still open, I’d be happy to work on implementing the fix. I’ve recently been contributing to Apache GraphAr (incubating), so I’m familiar with the Apache workflow and testing requirements.

Please let me know if it’s okay for me to take this one.

[chaokunyang]

@shivendra-dev54 Assigned to you