[C#] configurable size guardrails for untrusted payloads #3412
Description
Feature Request
Add configurable deserialization size guardrails in Fory C# for untrusted payloads.
Is your feature request related to a problem? Please describe
There are currently no configurable limits for payload-driven lengths. Untrusted binary/map/list lengths can trigger large allocations and memory pressure.
Describe the solution you'd like
Add two configurable size limits to C# deserialization and enforce them in relevant preallocation-sensitive read paths.
Resolve task:
- Add only two runtime guardrail options:
max_binary_sizeandmax_collection_size. - Enforce
max_collection_sizefor collection and map reads (map uses entry count). - Enforce
max_binary_sizefor binary byte-length reads. - Do not add string size checks; string reads are excluded from this requirement.
- Return/throw a deserialization error when a configured limit is exceeded.
Describe alternatives you've considered
Relying only on process-level memory limits and runtime/allocator behavior. This is late-failing and not protocol-aware.
Additional context
Medium: no configurable size guardrails for untrusted payloads (binary/map/list lengths can drive large allocations).
Related locations:
csharp/src/Fory/Config.cs:25csharp/src/Fory/CollectionSerializers.cs:152csharp/src/Fory/CollectionSerializers.cs:165csharp/src/Fory/DictionarySerializers.cs:214csharp/src/Fory/DictionarySerializers.cs:220