apache · miantalha45 · Feb 20, 2026 · Feb 20, 2026 · Feb 20, 2026 · Feb 21, 2026
@@ -40,9 +40,15 @@ export default class {
   anySerializer: Serializer;
   typeMeta = TypeMeta;
   config: Config;
+  depth = 0;
+  maxDepth: number;
 
   constructor(config?: Partial<Config>) {
     this.config = this.initConfig(config);
+    this.maxDepth = config?.maxDepth ?? 50;
+    if (this.maxDepth < 2) {
+      throw new Error(`maxDepth must be >= 2 but got ${this.maxDepth}`);
+    }
     this.binaryReader = new BinaryReader(this.config);
     this.binaryWriter = new BinaryWriter(this.config);
     this.referenceResolver = new ReferenceResolver(this.binaryReader);
@@ -57,6 +63,7 @@ export default class {
     return {
       refTracking: config?.refTracking !== null ? Boolean(config?.refTracking) : null,
       useSliceString: Boolean(config?.useSliceString),
+      maxDepth: config?.maxDepth,
       hooks: config?.hooks || {},
       compatible: Boolean(config?.compatible),
     };
@@ -66,6 +73,34 @@ export default class {
     return this.config.compatible === true;
   }
 
+  incReadDepth(): void {
+    this.depth++;
+    if (this.depth > this.maxDepth) {
+      throw new Error(
+        `Deserialization depth limit exceeded: ${this.depth} > ${this.maxDepth}. `
+        + "The data may be malicious, or increase maxDepth if needed."
+      );
+    }
+  }
+
+  decReadDepth(): void {
+    this.depth--;
+  }
+
+  private resetRead(): void {
+    this.referenceResolver.resetRead();
+    this.typeMetaResolver.resetRead();
+    this.metaStringResolver.resetRead();
+    this.depth = 0;
+  }
+
+  private resetWrite(): void {
+    this.binaryWriter.reset();
+    this.referenceResolver.resetWrite();
+    this.metaStringResolver.resetWrite();
+    this.typeMetaResolver.resetWrite();
+  }
+
   registerSerializer<T>(constructor: new () => T, customSerializer: CustomSerializer<T>): {
     serializer: Serializer;
     serialize(data: InputType<T> | null): PlatformBuffer;
@@ -141,10 +176,8 @@ export default class {
   }
 
   deserialize<T = any>(bytes: Uint8Array, serializer: Serializer = this.anySerializer): T | null {
-    this.referenceResolver.reset();
+    this.resetRead();
     this.binaryReader.reset(bytes);
-    this.typeMetaResolver.reset();
-    this.metaStringResolver.reset();
     const bitmap = this.binaryReader.readUint8();
     if ((bitmap & ConfigFlags.isNullFlag) === ConfigFlags.isNullFlag) {
       return null;
@@ -162,16 +195,13 @@ export default class {
 
   private serializeInternal<T = any>(data: T, serializer: Serializer) {
     try {
-      this.binaryWriter.reset();
+      this.resetWrite();
     } catch (e) {
       if (e instanceof OwnershipError) {
         throw new Error("Permission denied. To release the serialization ownership, you must call the dispose function returned by serializeVolatile.");
       }
       throw e;
     }
-    this.referenceResolver.reset();
-    this.metaStringResolver.reset();
-    this.typeMetaResolver.reset();
     let bitmap = 0;
     if (data === null) {
       bitmap |= ConfigFlags.isNullFlag;

@@ -198,28 +198,38 @@ export abstract class BaseSerializerGenerator implements SerializerGenerator {
   }
 
   readNoRef(assignStmt: (v: string) => string, refState: string): string {
+    const result = this.scope.uniqueName("result");
     return `
+      fory.incReadDepth();
       ${this.readTypeInfo()}
-      ${this.read(assignStmt, refState)};
+      let ${result};
+      ${this.read(v => `${result} = ${v}`, refState)};
+      fory.decReadDepth();
+      ${assignStmt(result)};
     `;
   }
 
   readRefWithoutTypeInfo(assignStmt: (v: string) => string): string {
     const refFlag = this.scope.uniqueName("refFlag");
+    const result = this.scope.uniqueName("result");
     return `
         const ${refFlag} = ${this.builder.reader.readInt8()};
+        let ${result};
         switch (${refFlag}) {
             case ${RefFlags.NotNullValueFlag}:
             case ${RefFlags.RefValueFlag}:
-                ${this.read(assignStmt, `${refFlag} === ${RefFlags.RefValueFlag}`)}
+                fory.incReadDepth();
+                ${this.read(v => `${result} = ${v}`, `${refFlag} === ${RefFlags.RefValueFlag}`)}
+                fory.decReadDepth();
                 break;
             case ${RefFlags.RefFlag}:
-                ${assignStmt(this.builder.referenceResolver.getReadObject(this.builder.reader.readVarUInt32()))}
+                ${result} = ${this.builder.referenceResolver.getReadObject(this.builder.reader.readVarUInt32())};
                 break;
             case ${RefFlags.NullFlag}:
-                ${assignStmt("null")}
+                ${result} = null;
                 break;
         }
+        ${assignStmt(result)};
     `;
   }
 

@@ -108,4 +108,15 @@ export class MetaStringResolver {
     });
     this.dynamicNameId = 0;
   }
+
+  resetRead() {
+    // No state to reset for read operation
+  }
+
+  resetWrite() {
+    this.disposeMetaStringBytes.forEach((x) => {
+      x.dynamicWriteStringId = -1;
+    });
+    this.dynamicNameId = 0;
+  }
 }
@@ -35,6 +35,14 @@ export class ReferenceResolver {
     this.writeObjects = new Map();
   }
 
+  resetRead() {
+    this.readObjects = [];
+  }
+
+  resetWrite() {
+    this.writeObjects = new Map();
+  }
+
   getReadObject(refId: number) {
     return this.readObjects[refId];
   }

@@ -264,6 +264,7 @@ export interface Config {
   hps?: Hps;
   refTracking: boolean | null;
   useSliceString: boolean;
+  maxDepth?: number;
   hooks: {
     afterCodeGenerated?: (code: string) => string;
   };

@@ -121,4 +121,16 @@ export class TypeMetaResolver {
     this.dynamicTypeId = 0;
     this.typeMeta = [];
   }
+
+  resetRead() {
+    this.typeMeta = [];
+  }
+
+  resetWrite() {
+    this.disposeTypeInfo.forEach((x) => {
+      x.dynamicTypeId = -1;
+    });
+    this.disposeTypeInfo = [];
+    this.dynamicTypeId = 0;
+  }
 }