[Boost-users] serialization: handling variable length data

in simplest case std::string is serialized this way: length|string data. in this case it's possible to feed invalid data to deserialization function so that application stalls waiting for the os to reserve huge pile or ram, or fails with bad alloc. this invalid data could be intentionally manually edited or as well it could be the case where you serialize ints and then try to deserialize data as strings (or whatever else). isn't it possible to have archives such check somehow the size of available stream data. (eg, for stringstream), or archives that initialized with a data pointer and the size of the data pointed by that pointer or maybe something else here's a complete example that shows such problem in action ///////////////////////////// #include <iostream> #include <fstream> #include <string> #include <ctime> #include #include #include using namespace std; using namespace boost::archive; int main()try{ string s1 = "Hello world!", s2; { ofstream file("data.txt", ios::binary | ios::trunc); text_oarchive a(file, no_header); a << s1; } time_t t(time(0)); { ifstream file("data.txt", ios::binary); binary_iarchive a(file, no_header); a >> s2; } cout << "time elapsed: " << (time(0)-t) << "s" << endl; cout << "s2.size() => " << s2.size() << "\n" "s2 => \"" << s2.substr(0,64) << "...\"" << endl; }catch(const exception &e){ cout << "error: " << e.what() << endl; } ///////////////////////////// and the output I got on win xp: time elapsed: 110s s2.size() => 1210069553 s2 => "ello world! ..."