|
|
Changelog:
=========
- Added the max_depth decoder parameter to limit the maximum allowed nesting
level of containers, with a default value of 400 levels (CVE-2026-26209)
- Changed the default read_size from 4096 to 1 for backwards compatibility. The
buffered reads introduced in 5.8.0 could cause issues when code needs to
access the stream position after decoding. Users can opt-in to faster decoding
by passing read_size=4096 when they don't need to access the stream directly
after decoding. Added a direct read path for read_size=1 to avoid buffer
management overhead.
- Fixed C encoder not respecting string referencing when encoding string-type
datetimes (tag 0)
- Fixed a missed check for an exception in the C implementation of
CBOREncoder.encode_shared()
- Fixed two reference/memory leaks in the C extension's long string decoder
- Fixed C decoder ignoring the str_errors setting when decoding strings, and
improved string decoding performance by using stack allocation for small
strings and eliminating unnecessary conditionals. Benchmarks show 9-17% faster
deserialization.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
|
