In some cases the method org.apache.thrift.protocol.TBinaryProtocol.readStringBody(int size) gets called with a "size" parameter that has not been validated by the existing method checkStringReadLength(int size).
This is true if the method is called by readMessageBegin() of the same class. The method readString() checks the size correctly before calling readStringBody(int size).
Since the methods readStringBody(int size) and readMessageBegin() are public, there may be other callers who don't check the size correctly.
We encountered this issue in production several times. Because of this we are currently using our own patched version of libthrift-0.9.3. The patch is attached, but it is surely not the best solution, because with this patch the size may be checked twice, depending on the caller.