From 7c0e4ed1bac9c4667f3c0b89acb6d4b1216c9e38 Mon Sep 17 00:00:00 2001 From: Diogo Martins Date: Thu, 4 Jun 2026 22:47:21 +0100 Subject: [PATCH] README: size the .NET binding field arrays to the limits (overflow-safe) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The example sized headers/query at 64/32 but Glyph11Limits.Default allows 100/128, so the arrays filled before the limit and wrongly 431'd requests within policy (the core bounds-checks every write — line 495 — so it's safe, just a lowered effective limit). Size storage from the limits (MaxHeaderCount / MaxQueryParameterCount) and note ArrayPool for large limits. Verified: an 80-header request parses with a 100-array (status 0, 80 headers) and is rejected with a 64-array (status 304 = TOO_MANY_HEADERS -> 431), no overflow. Co-Authored-By: Claude Opus 4.8 (1M context) --- README.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 689422f..75a4151 100644 --- a/README.md +++ b/README.md @@ -63,10 +63,14 @@ using Glyph11.Native; byte[] request = Encoding.ASCII.GetBytes( "GET /api/users?page=1 HTTP/1.1\r\nHost: example.com\r\nAccept: */*\r\n\r\n"); -Span headers = stackalloc Glyph11Field[64]; -Span query = stackalloc Glyph11Field[32]; - -int status = Glyph11Parser.Parse(request, headers, query, Glyph11Limits.Default, out var r); +// Storage for the parsed fields — size it to the limits, so any request the policy +// accepts fits. A request with more headers is rejected (HTTP 431), never an +// overflow: the core bounds-checks every write. +var limits = Glyph11Limits.Default; // MaxHeaderCount = 100 +Span headers = stackalloc Glyph11Field[(int)limits.MaxHeaderCount]; +Span query = stackalloc Glyph11Field[(int)limits.MaxQueryParameterCount]; + +int status = Glyph11Parser.Parse(request, headers, query, limits, out var r); if (status == Glyph11Parser.Ok) { string Slice(Glyph11Span s) => Encoding.ASCII.GetString(request, (int)s.Offset, (int)s.Length); @@ -80,6 +84,11 @@ if (status == Glyph11Parser.Ok) // status: 0 = OK, 1 = incomplete (read more), otherwise a protocol/limit error (→ HTTP 400 / 431). ``` +Keep the header/query arrays at least `MaxHeaderCount` / `MaxQueryParameterCount` — a smaller +array silently lowers your effective limit (the parser returns `TOO_MANY_HEADERS` / +`TOO_MANY_QUERY_PARAMS` once it fills, never an overflow). For large limits, rent from +`ArrayPool` instead of `stackalloc`. + Resolve the native library with the `GLYPH11_NATIVE_PATH` environment variable, or put `libglyph11.{so,dll,dylib}` on the OS load path.