<tr><td>Safe against malicious input</td><tdclass="pass">yes</td><tdclass="pass">yes</td><tdclass="pass">yes</td><tdclass="fail">no</td></tr>
<tr><td>Safe against malicious input</td><tdclass="pass">yes</td><tdclass="pass">yes</td><tdclass="pass">yes</td><tdclass="warn">opt-in upfront</td></tr>
<tr><td>Unknown field retention</td><tdclass="pass">yes</td><tdclass="pass">yes</td><tdclass="fail">no</td><tdclass="fail">no</td></tr>
<tr><td>Unknown field retention</td><tdclass="pass">yes</td><tdclass="pass">yes</td><tdclass="fail">no</td><tdclass="fail">no</td></tr>
...
@@ -76,7 +76,7 @@ Cap'n Proto inherits Protocol Buffers' security stance, and is believed to be si
...
@@ -76,7 +76,7 @@ Cap'n Proto inherits Protocol Buffers' security stance, and is believed to be si
SBE's C++ library does bounds checking as of the resolution of [this bug](https://github.com/real-logic/simple-binary-encoding/issues/130).
SBE's C++ library does bounds checking as of the resolution of [this bug](https://github.com/real-logic/simple-binary-encoding/issues/130).
FlatBuffers does no bounds checking. When reading a message, you start by giving the library a bare pointer to the start of the message, with no size. FlatBuffers appears to be intended for use as a format for static, trusted data files, not network messages.
*Update July 12, 2014:* FlatBuffers [now supports](https://github.com/google/flatbuffers/commit/a0b6ffc25b9a3c726a21e52d6453779265186dbd) performing an optional upfront verification pass over a message to ensure that all pointers are in-bounds. You must explicitly call the verifier, otherwise no bounds checking is performed. The verifier performs a pass over the entire message; it should be very fast, but it is O(n), so you lose the "random access" advantage if you are mmap()ing in a very large file. FlatBuffers is primarily designed for use as a format for static, trusted data files, not network messages.