diff --git a/Makefile b/Makefile
index d95111bed4..fbbff04775 100644
--- a/Makefile
+++ b/Makefile
@@ -60,6 +60,9 @@ proto-generate:
 test:
 	for m in $(HAND_MODS); do (cd $$m && go test ./... -race) || exit 1; done
 
+fuzz:
+	cd sdk && go test ./... -fuzztime=2m
+
 bench:
 	for m in $(HAND_MODS); do (cd $$m && go test -bench ./... -benchmem) || exit 1; done
 
diff --git a/sdk/fuzz_test.go b/sdk/fuzz_test.go
new file mode 100644
index 0000000000..bb11a1139c
--- /dev/null
+++ b/sdk/fuzz_test.go
@@ -0,0 +1,140 @@
+package sdk
+
+import (
+	"bytes"
+	"encoding/base64"
+	"io"
+	"testing"
+
+	"github.com/opentdf/platform/lib/ocrypto"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func writeBytes(writerFunc func(io.Writer) error) []byte {
+	writer := bytes.NewBuffer(nil)
+	_ = writerFunc(writer)
+	return writer.Bytes()
+}
+
+func newSDK() *SDK {
+	key, _ := ocrypto.NewRSAKeyPair(tdf3KeySize)
+	cfg := &config{
+		kasSessionKey: &key,
+	}
+	sdk := &SDK{
+		config:      *cfg,
+		kasKeyCache: newKasKeyCache(),
+	}
+	return sdk
+}
+
+func unverifiedBase64Bytes(str string) []byte {
+	b, _ := base64.StdEncoding.DecodeString(str)
+	return b
+}
+
+func FuzzLoadTDF(f *testing.F) {
+	sdk := newSDK()
+	f.Add(writeBytes(func(writer io.Writer) error {
+		reader := bytes.NewReader([]byte("AAA"))
+		_, err := sdk.CreateTDF(writer, reader, func(tdfConfig *TDFConfig) error {
+			tdfConfig.kasInfoList = []KASInfo{{
+				URL:       "example.com",
+				PublicKey: mockRSAPublicKey1,
+				Default:   true,
+			}}
+			return nil
+		})
+		require.NoError(f, err)
+		return err
+	}))
+	// seed with large manifest allocation
+	f.Add(unverifiedBase64Bytes("UEsDBC0ACAAAAH11LzEAAAAAAAAAAAAAAAAJAAAAM" +
+		"C5wYXlsb2Fk5LJYrTiapi/CUQ0dlqMU0/VmunX+qRIyQghasf6aEVBLBwgke7o5HwAAAB8A" +
+		"AABQSwMELQAIAAAAfXUvMQAAAAAAAAAAAAAAAA8AAAAwLm1hbmlmZXN0Lmpzb257ImVOY3J" +
+		"5cHRpb25JbmZvcm1hdGlvbiI6eyJ0eXBlIjoic3BsaXQiLCJwb2xpY3kiOiJleUoxZFdsa0" +
+		"lqb2lZakF3TW1WaU9USXROV0l4TkMweE1XVm1MVGt4TW1NdFlXRTFZalprWlRjMVlUQmpJa" +
+		"XdpWW05a2VTSTZleUprWVhSaFFYUjBjbWx5ZFhSbGN5STZiblZzYkN3aVpHbHpjMlZ0SWpw" +
+		"dWRXeHNmWDA9Iiwia2V5QWNjZXNzIjpbeyJ0eXBlIjoid3JhcHBlZCIsInVybCI6ImV4YW1" +
+		"wbGUuY29tIiwicHJvdG9jb2wiOiJrYXMiLCJ3cmFwcGVkS2V5IjoiV1dZait3anNMQmtrU2" +
+		"FjTzZ2dEpJaTBLMUJQMVhtT2lzcFNrdm8wRm5QV0ZLM050UTVzN3YwOVpqQ05NV0JRK1VPa" +
+		"VhUTVNWa1JkNUdsTHlMblg3bjY4dDBmSDk0RnMyTnRjcFJwMSt6YStjdzVGRldFQy9uQUJp" +
+		"TmtPdldLeHdqeG5YQ1pEazZ4U3o1ZHdCT1MraUVCYXJ6WGMzR3oxR2JYcm5Ka0YvaitUUDR" +
+		"rbTJUYUpXN0cybFJaQ0J6T1M5RkpoSEFIcFBIcFF4V2tNK2FuZjJ1WExRV1UxT00vaHFVRz" +
+		"VFUG9nR0pYM3MxaVRmek4xNFhiczU5TmYyOU1rc284VjhJSnNOWVRPblBIejY4Q3VvOGdjc" +
+		"XZHd3J0a3FKQmlmYVM3N1FRQWxwUTcrSU9GME9ZSjh1WTZLZG1najltSU1aRUVaYkI3V2hO" +
+		"blNBbG9paWZBPT0iLCJwb2xpY3lCaW5kaW5nIjp7ImFsZyI6IkhTMjU2IiwiaGFzaCI6Ilp" +
+		"UY3pZMkV5WkdReVkySTJNRGN4WmpnellXVTVNRGsxWXpnNU5XWXhOalUwWVRjNE5tTXpPV1" +
+		"EwTW1JM05qQmxOemxsTmpWaVltWTRZalUyWkdNd013PT0ifX1dLCJtZXRob2QiOnsiYWxnb" +
+		"3JpdGhtIjoiQUVTLTI1Ni1HQ00iLCJpdiI6IiIsImlzU3RyZWFtYWJsZSI6dHJ1ZX0sImlu" +
+		"dGVncml0eUluZm9ybWF0aW9uIjp7InJvb3RTaWduYXR1cmUiOnsiYWxnIjoiSFMyNTYiLCJ" +
+		"zaWciOiJNRFZqTURReE1EWmtNR00wWlRRMllUZG1PRFJrWVRJM09UZGlPREk1WVRWak5EVX" +
+		"hPRGs0TkRreE1HWTFaV1kxTXpKbVpHWmtZMlkwWWprek0yVmhOZz09In0sInNlZ21lbnRIY" +
+		"XNoQWxnIjoiR01BQyIsInNlZ21lbnRTaXplRGVmYXVsdCI6MjA5NzE1MiwiZW5jcnlwdGVk" +
+		"U2VnbWVudFNpemVEZWZhdWx0IjoyMDk3MTgwLCJzZWdtZW50cyI6W3siaGFzaCI6IlpETm1" +
+		"OVFkyWW1FM05XWmxZVGt4TWpNeU5ESXdPRFZoWWpGbVpUbGhNVEU9Iiwic2VnbWVudFNpem" +
+		"UiOjMsImVuY3J5cHRlZFNlZ21lbnRTaXplIjozMX1dfX0sInBheWxvYWQiOnsidHlwZSI6I" +
+		"nJlZmVyZW5jZSIsInVybCI6IjAucGF5bG9hZCIsInByb3RvY29sIjoiemlwIiwibWltZVR5" +
+		"cGUiOiJhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW0iLCJpc0VuY3J5cHRlZCI6dHJ1ZX19UEs" +
+		"HCALoriwCBQAAAgUAAFBLAQItAC0ACAAAAH11LzEke7o5HwAAAB8AAAAJAAAAAAAAAAAAAA" +
+		"AAAAAAAAAwLnBheWxvYWRQSwECLQAtAAgAAAB9dS8xAuiuLAIE///tBQAADwAAAAAAAAAAA" +
+		"AAAAABWAAAAMC5tYW5pZmVzdC5qc29uUEsFBgAAAAACAAIAdAAAAJUFAAAAAA=="))
+
+	f.Fuzz(func(t *testing.T, data []byte) {
+		r, err := sdk.LoadTDF(bytes.NewReader(data))
+		if err != nil {
+			assert.Nil(t, r)
+			return
+		}
+		assert.NotNil(t, r)
+		// TODO fuzz r somewhat
+	})
+}
+
+func FuzzReadPolicyBody(f *testing.F) {
+	pb := &PolicyBody{
+		mode: 0,
+		rp: remotePolicy{
+			url: ResourceLocator{
+				protocol: 0,
+				body:     "example.com",
+			},
+		},
+	}
+	f.Add(writeBytes(pb.writePolicyBody))
+	pb = &PolicyBody{
+		mode: 1,
+		ep: embeddedPolicy{
+			lengthBody: 3,
+			body:       []byte("foo"),
+		},
+	}
+	f.Add(writeBytes(pb.writePolicyBody))
+
+	f.Fuzz(func(t *testing.T, data []byte) {
+		pb = &PolicyBody{}
+		err := pb.readPolicyBody(bytes.NewReader(data))
+		if err != nil {
+			assert.Zerof(t, *pb, "unexpected %v", *pb)
+			return
+		}
+	})
+}
+
+func FuzzNewResourceLocatorFromReader(f *testing.F) {
+	f.Add([]byte{0x00, 0x00, 0x00}) // zero size
+	f.Add([]byte{0x00, 0xFF, 0x00}) // max size
+	// example self encoded
+	rl, _ := NewResourceLocator("https://example.com")
+	f.Add(writeBytes(rl.writeResourceLocator))
+
+	f.Fuzz(func(t *testing.T, data []byte) {
+		r, err := NewResourceLocatorFromReader(bytes.NewReader(data))
+		if err != nil {
+			assert.Nil(t, r)
+			return
+		}
+		require.NotNil(t, r)
+	})
+}
diff --git a/sdk/internal/archive/fuzz_test.go b/sdk/internal/archive/fuzz_test.go
new file mode 100644
index 0000000000..c66893dc43
--- /dev/null
+++ b/sdk/internal/archive/fuzz_test.go
@@ -0,0 +1,143 @@
+package archive
+
+import (
+	"bytes"
+	"encoding/base64"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func unverifiedBase64Bytes(str string) []byte {
+	b, _ := base64.StdEncoding.DecodeString(str)
+	return b
+}
+
+func FuzzReader(f *testing.F) {
+	// seeds derived from existing unit tests
+	f.Add(unverifiedBase64Bytes("UEsDBC0ACAAAAD2WLTEAAAAAAAAAAAAAAAAJAAAAM" +
+		"C5wYXlsb2Fk08izTVcCMQg+XVhewRxbr57U17gYv3bdYO41/zR3XrezUEsHCApBjlYhAAAA" +
+		"IQAAAFBLAwQtAAgAAAA9li0xAAAAAAAAAAAAAAAADwAAADAubWFuaWZlc3QuanNvbnsiZW5" +
+		"jcnlwdGlvbkluZm9ybWF0aW9uIjp7InR5cGUiOiJzcGxpdCIsInBvbGljeSI6ImV5SjFkV2" +
+		"xrSWpvaVkyRmhPVEJpWVdFdE5UbGhOQzB4TVdWbUxUbGhNVFl0WVdFMVlqWmtaVGMxWVRCa" +
+		"klpd2lZbTlrZVNJNmV5SmtZWFJoUVhSMGNtbGlkWFJsY3lJNmJuVnNiQ3dpWkdsemMyVnRJ" +
+		"anB1ZFd4c2ZYMD0iLCJrZXlBY2Nlc3MiOlt7InR5cGUiOiJ3cmFwcGVkIiwidXJsIjoiaHR" +
+		"0cDovL2xvY2FsaG9zdDo2NTQzMi8iLCJwcm90b2NvbCI6ImthcyIsIndyYXBwZWRLZXkiOi" +
+		"JkK3dobEZJdEF2Y3lYYU5ZcWpmRmpiWXVDZVBGcTRyOS9ZSFJLeTJwWmwwRkxqa29oK3FUV" +
+		"XRJVkZOMFlkYjA5S0M3ZytkUllBdTFTSzYxYjE1MUJYRFJhZG9zQ1crTUlDWUFid1RLWENY" +
+		"RG15TW1HaVhKU2RHcWxza2NlakVJWXVUbDBXaGwxVisyUlhEZkl1WXZKN1N2YmZ2OExVVmN" +
+		"tNHFXR1R1RDBjcmVQNnhWaHVQdVE2V1FIOWlZNlA4K3kwUG92MEd3VzNTOWhZdlBjY3pNcG" +
+		"F0UTZPMytsbGZsYkxGRjZVcVdQMGVZcGxWU21nZXg1V3BjWFlreFJHdGZJTkRhYzBqS1NnM" +
+		"FpTUDdxbThQNXdPd2F3NlgzbUNQL3ZpYkxXQy9UYUczVEg0bmY2dXgvbWc3NEFvUWxockFs" +
+		"TUdpMTJwNUxGL0VabVZYeXlrSnhpYkE9PSIsInBvbGljeUJpbmRpbmciOnsiYWxnIjoiSFM" +
+		"yNTYiLCJoYXNoIjoiWTJRME1qWmhOVE15WWpoa09EQmtZamN5WWpGaE5XWTFZakkwTXpFek" +
+		"0yRmxaV1pqTTJWa1lqTXhOMlk1TnpNMk5EWmtNV0kxT0RFMU1tRTRNekJrT1E9PSJ9LCJra" +
+		"WQiOiJyMSJ9XSwibWV0aG9kIjp7ImFsZ29yaXRobSI6IkFFUy0yNTYtR0NNIiwiaXYiOiIi" +
+		"LCJpc1N0cmVhbWFibGUiOnRydWV9LCJpbnRlZ3JpdHlJbmZvcm1hdGlvbiI6eyJyb290U2l" +
+		"nbmF0dXJlIjp7ImFsZyI6IkhTMjU2Iiwic2lnIjoiTlRZMk1USTJaVFUxTWpRd09HVTVaR1" +
+		"kxT0dZM01qSmtObVEwTTJVd05XWTNNRGMwTm1RME1qZG1OVEEwTURKaFpUZzVNREExWVRRM" +
+		"FlqTTFOekJqTWc9PSJ9LCJzZWdtZW50SGFzaEFsZyI6IkdNQUMiLCJzZWdtZW50U2l6ZURl" +
+		"ZmF1bHQiOjIwOTcxNTIsImVuY3J5cHRlZFNlZ21lbnRTaXplRGVmYXVsdCI6MjA5NzE4MCw" +
+		"ic2VnbWVudHMiOlt7Imhhc2giOiJaRFJrTjJJNE1UaGlaamMyWkdRMk1HVmxNelZtWmpNME" +
+		"56YzFaV0kzWWpNPSIsInNlZ21lbnRTaXplIjo1LCJlbmNyeXB0ZWRTZWdtZW50U2l6ZSI6M" +
+		"zN9XX19LCJwYXlsb2FkIjp7InR5cGUiOiJyZWZlcmVuY2UiLCJ1cmwiOiIwLnBheWxvYWQi" +
+		"LCJwcm90b2NvbCI6InppcCIsIm1pbWVUeXBlIjoidGV4dC9wbGFpbiIsImlzRW5jcnlwdGV" +
+		"kIjp0cnVlfX1QSwcICGOQ8AsFAAALBQAAUEsBAi0ALQAIAAAAPZYtMQpBjlYhAAAAIQAAAA" +
+		"kAAAAAAAAAAAAAAAAAAAAAADAucGF5bG9hZFBLAQItAC0ACAAAAD2WLTEIY5DwCwUAAAsFA" +
+		"AAPAAAAAAAAAAAAAAAAAFgAAAAwLm1hbmlmZXN0Lmpzb25QSwUGAAAAAAIAAgB0AAAAoAUA" +
+		"AAAA"))
+	f.Add(unverifiedBase64Bytes("UEsDBC0ACAAAAD2WLTEAAAAAAAAAAAAAAAAJAAAAM" +
+		"C5wYXlsb2FkDSvwsbJutP3SwAxiF0WieCKrIIVAG0Ae4OHfVLFcwnhWAm13w4okVqReL7GB" +
+		"CmiI3OQIvl2zo7KWZABCfFLDc+9oCaRVnBaOWUy5ruMQlHeXJ3SdSZe0K3F77OHYueUWDh/" +
+		"WCdb+GG3LVQkOdKPr+GvIcOTktlJJojnFZTZ5fKxKzNwTNrTCAgqdzFU2RH696b3Nl0S3AW" +
+		"ovOWSM8UQ9mAB+H8x+QlSjHLX5m6OCGRFHLYInvLeHhbbso/8OU11LHjMqHeMOsyJAfpupo" +
+		"kv59QPa0XfjtXAhHp6M+V1zF3rJl3TTWq3NNnYfm29pYBkV4Cs9nBsZQ+LnhBMqXKLfic8b" +
+		"vAc+zShk2f6jmaZfiXSLWFDVxZjLGaGCWX8gvkOG8HlajEVI8bSDiC1JO9kIqBJxNFFmyPl" +
+		"HvMPEkx1sG2ZaYYZERc+JpJQTxnM6jI45JQ4JXCYPUP+m9RVlAkH2Stg719P3USbJFbvxgT" +
+		"XhsuTH0talbolQdKd3i7Zrl62DLn6GByJ/LqZNiNRy2PgDo2IFpx7J9VUQNfj9RjpoPzRmS" +
+		"lOIk+MFA4twmhYgWtSU6BsdynSirYZ4zZP0VrJ1TFVPygoGVsNy3CdP39kURmndFq6JPdcF" +
+		"uZ1Wx3zCur5aqmb6bDz1rIjmBpzkdmqoGWNPpsim6Tzkc6sBe90eASg8ksg40Bu4JVwFUD/" +
+		"XMH8oGWvP+5xriMckeCOEiGSJ1Ro0JDPv5kWoddLqz4XrPJ5jzy/Y82ZXbIji1PEf04J7nn" +
+		"NGQVzpYvqZszXNaEkri9VCcC1xgrgMJAYDRuGmGpw28kffaB9hMr2Ee5ubDwysEEAJhSYJb" +
+		"iityJpbuG8J4JBiKd5kdrr55SOPwG7ycJLdz1e0uhKHFpAyJJgNTRVaALVdm0W0kCmCeZTu" +
+		"OGL5naIY7iQGVB4iIFOpj2tbb1sm/bhsTz+fzd30Rf/SiNjn1bKXKKFygvBKIZ8rtUZwbp5" +
+		"FcghXtffgeGOo5omQ0XBUOmKW1V+lRVXUXjL6frYVe1y6ZkZQo+VCE/yKPqOQEZeAJSViWK" +
+		"7lPpavnSqcsgGZImiF7eeegvTIJks8vJOaqOXfEKpLKlGIpv+/dHrGgmq8OhkPFa/PjHC4Y" +
+		"EkNjNzL0PwTuX8OPcDAoGZ+DzSVnlS+iISNaN2x28o460YIYrMLeg1G/W8pFAk7zYyWLxLD" +
+		"T8kLY4FKdidD6OAtgSxJSmvRZnS01x9K1sVFTyy/Ng1SjnuwAM8e9tV3G7ffD1JK8VCglNx" +
+		"ZfOmKrt28EnKlU7+gAYC6vZQLgYLQzAYe8Dufq4xcUQ8oAmXdpQo+TiFGK7MuWGTZOpEa9w" +
+		"sQsviEqOqRU6Fsyy0KIYdUWa2NvAww862M9cDhT1UETESHGmOOmuBJunFLzAwKlI1QSwcIc" +
+		"cpeYxwEAAAcBAAAUEsDBC0ACAAAAD2WLTEAAAAAAAAAAAAAAAAPAAAAMC5tYW5pZmVzdC5q" +
+		"c29ueyJlbmNyeXB0aW9uSW5mb3JtYXRpb24iOnsidHlwZSI6InNwbGl0IiwicG9saWN5Ijo" +
+		"iZXlKMWRXbGtJam9pWTJGa09ETmlZalF0TlRsaE5DMHhNV1ZtTFRsaE1UWXRZV0UxWWpaa1" +
+		"pUYzFZVEJqSWl3aVltOWtlU0k2ZXlKa1lYUmhRWFIwY21saWRYUmxjeUk2Ym5Wc2JDd2laR" +
+		"2x6YzJWdElqcHVkV3hzZlgwPSIsImtleUFjY2VzcyI6W3sidHlwZSI6IndyYXBwZWQiLCJ1" +
+		"cmwiOiJodHRwOi8vbG9jYWxob3N0OjY1NDMyLyIsInByb3RvY29sIjoia2FzIiwid3JhcHB" +
+		"lZEtleSI6ImxDeHJnQ2dRUTlhYUdTRW5mcUpFK1h6a1pBaUVNMW1qRkpHR292MkFGQnJnUl" +
+		"J2aVU1WjZhNUJnSk15OU9tcWdORG5Db0ozWmQ4a1BzaGdSK25JdmpuUlBDdnRBcUo2NFlMT" +
+		"XVnaXI2dUxoU1VUb241SE1HRXVZcU1lTVkrNmRnbkdteDN0Ty9uZmJTNDBpQk1sZmxKcG0w" +
+		"bFNudExjZTFQd1VVbHJ5VkR4cTVUaHVROEFlaS9CUkNPMnpnT3Q2UjQwK3cxcjF3SnEwVXp" +
+		"MdzAraFY3dlJxdmJxVFluQmF4d3lhdTFhUmxHZ1VQUGFOWmFOcVpiUkdVYko4Z3R1bTRNQ0" +
+		"5DNmZJajFzR0NyM2FTSjdKTEFFRjlQdm9DL3RQd2diOXpiU0x1M0czb0kzUXY4aVl0Zk5PU" +
+		"3ZxaEZoajlTdVFTMWlFNGlxYmZ4Skp6Um0yRm9QZz09IiwicG9saWN5QmluZGluZyI6eyJh" +
+		"bGciOiJIUzI1NiIsImhhc2giOiJNell6TXpFMVpEWTFNVGt3WlRBeFkySXhNVEF6TURObU5" +
+		"HSTFPR1JqWXpFMVl6RXpaamswWkRrMVpETTFOMkV4WWpFd09XRmhaamxpWlRjMllUZzBZdz" +
+		"09In0sImtpZCI6InIxIn1dLCJtZXRob2QiOnsiYWxnb3JpdGhtIjoiQUVTLTI1Ni1HQ00iL" +
+		"CJpdiI6IiIsImlzU3RyZWFtYWJsZSI6dHJ1ZX0sImludGVncml0eUluZm9ybWF0aW9uIjp7" +
+		"InJvb3RTaWduYXR1cmUiOnsiYWxnIjoiSFMyNTYiLCJzaWciOiJNR014WmpZeFlqazVZbVp" +
+		"qTkdVNFlqSTVPREEzTWpJeFlURTJOREUzTXpRd01XTmpZVFJsWmpBd05tSmlOVFkwTVdFel" +
+		"l6WmlNekl6T1dRNE9XRTVNUT09In0sInNlZ21lbnRIYXNoQWxnIjoiR01BQyIsInNlZ21lb" +
+		"nRTaXplRGVmYXVsdCI6MjA5NzE1MiwiZW5jcnlwdGVkU2VnbWVudFNpemVEZWZhdWx0Ijoy" +
+		"MDk3MTgwLCJzZWdtZW50cyI6W3siaGFzaCI6Ik5EUTROekZoTmpNNFpUbGhaVEEwT1dKaE5" +
+		"6RTBZbU5qTUdNd1lUazBPR1E9Iiwic2VnbWVudFNpemUiOjEwMjQsImVuY3J5cHRlZFNlZ2" +
+		"1lbnRTaXplIjoxMDUyfV19fSwicGF5bG9hZCI6eyJ0eXBlIjoicmVmZXJlbmNlIiwidXJsI" +
+		"joiMC5wYXlsb2FkIiwicHJvdG9jb2wiOiJ6aXAiLCJtaW1lVHlwZSI6ImFwcGxpY2F0aW9u" +
+		"L29jdGV0LXN0cmVhbSIsImlzRW5jcnlwdGVkIjp0cnVlfX1QSwcI9qRQPB4FAAAeBQAAUEs" +
+		"BAi0ALQAIAAAAPZYtMXHKXmMcBAAAHAQAAAkAAAAAAAAAAAAAAAAAAAAAADAucGF5bG9hZF" +
+		"BLAQItAC0ACAAAAD2WLTH2pFA8HgUAAB4FAAAPAAAAAAAAAAAAAAAAAFMEAAAwLm1hbmlmZ" +
+		"XN0Lmpzb25QSwUGAAAAAAIAAgB0AAAArgkAAAAA"))
+	// large defined filename
+	f.Add(unverifiedBase64Bytes("UEsDBC0ACAAAAH11LzEAAAAAAAAAAAAAAAAJAAAAM" +
+		"C5wYXlsb2Fk5LJYrTiapi/CUQ0dlqMU0/VmunX+qRIyQghasf6aEVBLBwgke7o5HwAAAB8A" +
+		"AABQSwMELQAIAAAAfXUvMQAAAAAAAAAAAAAAAA8AAAAwLm1hbmlmZXN0Lmpzb257ImVOY3J" +
+		"5cHRpb25JbmZvcm1hdGlvbiI6eyJ0eXBlIjoic3BsaXQiLCJwb2xpY3kiOiJleUoxZFdsa0" +
+		"lqb2lZakF3TW1WaU9USXROV0l4TkMweE1XVm1MVGt4TW1NdFlXRTFZalprWlRjMVlUQmpJa" +
+		"XdpWW05a2VTSTZleUprWVhSaFFYUjBjbWx5ZFhSbGN5STZiblZzYkN3aVpHbHpjMlZ0SWpw" +
+		"dWRXeHNmWDA9Iiwia2V5QWNjZXNzIjpbeyJ0eXBlIjoid3JhcHBlZCIsInVybCI6ImV4YW1" +
+		"wbGUuY29tIiwicHJvdG9jb2wiOiJrYXMiLCJ3cmFwcGVkS2V5IjoiV1dZait3anNMQmtrU2" +
+		"FjTzZ2dEpJaTBLMUJQMVhtT2lzcFNrdm8wRm5QV0ZLM050UTVzN3YwOVpqQ05NV0JRK1VPa" +
+		"VhUTVNWa1JkNUdsTHlMblg3bjY4dDBmSDk0RnMyTnRjcFJwMSt6YStjdzVGRldFQy9uQUJp" +
+		"TmtPdldLeHdqeG5YQ1pEazZ4U3o1ZHdCT1MraUVCYXJ6WGMzR3oxR2JYcm5Ka0YvaitUUDR" +
+		"rbTJUYUpXN0cybFJaQ0J6T1M5RkpoSEFIcFBIcFF4V2tNK2FuZjJ1WExRV1UxT00vaHFVRz" +
+		"VFUG9nR0pYM3MxaVRmek4xNFhiczU5TmYyOU1rc284VjhJSnNOWVRPblBIejY4Q3VvOGdjc" +
+		"XZHd3J0a3FKQmlmYVM3N1FRQWxwUTcrSU9GME9ZSjh1WTZLZG1najltSU1aRUVaYkI3V2hO" +
+		"blNBbG9paWZBPT0iLCJwb2xpY3lCaW5kaW5nIjp7ImFsZyI6IkhTMjU2IiwiaGFzaCI6Ilp" +
+		"UY3pZMkV5WkdReVkySTJNRGN4WmpnellXVTVNRGsxWXpnNU5XWXhOalUwWVRjNE5tTXpPV1" +
+		"EwTW1JM05qQmxOemxsTmpWaVltWTRZalUyWkdNd013PT0ifX1dLCJtZXRob2QiOnsiYWxnb" +
+		"3JpdGhtIjoiQUVTLTI1Ni1HQ00iLCJpdiI6IiIsImlzU3RyZWFtYWJsZSI6dHJ1ZX0sImlu" +
+		"dGVncml0eUluZm9ybWF0aW9uIjp7InJvb3RTaWduYXR1cmUiOnsiYWxnIjoiSFMyNTYiLCJ" +
+		"zaWciOiJNRFZqTURReE1EWmtNR00wWlRRMllUZG1PRFJrWVRJM09UZGlPREk1WVRWak5EVX" +
+		"hPRGs0TkRreE1HWTFaV1kxTXpKbVpHWmtZMlkwWWprek0yVmhOZz09In0sInNlZ21lbnRIY" +
+		"XNoQWxnIjoiR01BQyIsInNlZ21lbnRTaXplRGVmYXVsdCI6MjA5NzE1MiwiZW5jcnlwdGVk" +
+		"U2VnbWVudFNpemVEZWZhdWx0IjoyMDk3MTgwLCJzZWdtZW50cyI6W3siaGFzaCI6IlpETm1" +
+		"OVFkyWW1FM05XWmxZVGt4TWpNeU5ESXdPRFZoWWpGbVpUbGhNVEU9Iiwic2VnbWVudFNpem" +
+		"UiOjMsImVuY3J5cHRlZFNlZ21lbnRTaXplIjozMX1dfX0sInBheWxvYWQiOnsidHlwZSI6I" +
+		"nJlZmVyZW5jZSIsInVybCI6IjAucGF5bG9hZCIsInByb3RvY29sIjoiemlwIiwibWltZVR5" +
+		"cGUiOiJhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW0iLCJpc0VuY3J5cHRlZCI6dHJ1ZX19UEs" +
+		"HCALoriwCBQAAAgUAAFBLAQItAC0ACAAAAH11LzEke7o5HwAAAB8AAAAJAAAAAAAAAAAAAA" +
+		"AAAAAAAAAwLnBheWxvYWRQSwECLQAtAAgAAAB9dS8xAuiuLAIE///tBQAADwAAAAAAAAAAA" +
+		"AAAAABWAAAAMC5tYW5pZmVzdC5qc29uUEsFBgAAAAACAAIAdAAAAJUFAAAAAA=="))
+
+	f.Fuzz(func(t *testing.T, data []byte) {
+		reader, err := NewReader(bytes.NewReader(data))
+		if err != nil {
+			return
+		}
+		for k := range reader.fileEntries {
+			b, err := reader.ReadAllFileData(k, 1024*1024*20 /* 20MB Limit */)
+			if err != nil {
+				assert.Empty(t, b)
+			}
+		}
+	})
+}
diff --git a/sdk/internal/archive/reader.go b/sdk/internal/archive/reader.go
index e1eeb8ab72..e8fca063b8 100644
--- a/sdk/internal/archive/reader.go
+++ b/sdk/internal/archive/reader.go
@@ -232,13 +232,16 @@ func (reader Reader) ReadFileData(filename string, index int64, length int64) ([
 	return readBytes(reader.readSeeker, fileNameEntry.index+index, length)
 }
 
-// ReadAllFileData Return all the data of the file
+// ReadAllFileData Return all the data of the file if the file is available and below the specified size.
 // NOTE: Use this method for small file sizes.
-func (reader Reader) ReadAllFileData(filename string) ([]byte, error) {
+func (reader Reader) ReadAllFileData(filename string, maxSize int64) ([]byte, error) {
 	fileNameEntry, ok := reader.fileEntries[filename]
 	if !ok {
 		return nil, errZipFileNotFound
 	}
+	if fileNameEntry.length > maxSize {
+		return nil, fmt.Errorf("%s size too large: %d KiB", filename, fileNameEntry.length/1024) //nolint:mnd // convert byte->kb
+	}
 
 	return readBytes(reader.readSeeker, fileNameEntry.index, fileNameEntry.length)
 }
diff --git a/sdk/internal/archive/tdf3_reader.go b/sdk/internal/archive/tdf3_reader.go
index d4961b44fd..56ffc8a482 100644
--- a/sdk/internal/archive/tdf3_reader.go
+++ b/sdk/internal/archive/tdf3_reader.go
@@ -11,6 +11,7 @@ type TDFReader struct {
 const (
 	TDFManifestFileName = "0.manifest.json"
 	TDFPayloadFileName  = "0.payload"
+	manifestMaxSize     = 1024 * 1024 * 10 // 10 MB
 )
 
 // NewTDFReader Create tdf reader instance.
@@ -28,7 +29,7 @@ func NewTDFReader(readSeeker io.ReadSeeker) (TDFReader, error) {
 
 // Manifest Return the manifest of the tdf.
 func (tdfReader TDFReader) Manifest() (string, error) {
-	fileContent, err := tdfReader.archiveReader.ReadAllFileData(TDFManifestFileName)
+	fileContent, err := tdfReader.archiveReader.ReadAllFileData(TDFManifestFileName, manifestMaxSize)
 	if err != nil {
 		return "", err
 	}
diff --git a/sdk/resource_locator.go b/sdk/resource_locator.go
index 13ed15e1f3..2bf746dcdc 100644
--- a/sdk/resource_locator.go
+++ b/sdk/resource_locator.go
@@ -48,28 +48,11 @@ func NewResourceLocator(url string) (*ResourceLocator, error) {
 
 func NewResourceLocatorFromReader(reader io.Reader) (*ResourceLocator, error) {
 	rl := &ResourceLocator{}
-	oneByte := make([]byte, 1)
-
-	_, err := reader.Read(oneByte)
-	if err != nil {
-		return rl, err
-	}
-	rl.protocol = urlProtocol(oneByte[0])
-
-	_, err = reader.Read(oneByte)
-	if err != nil {
-		return rl, err
-	}
-
-	l := oneByte[0]
-	body := make([]byte, l)
-	_, err = reader.Read(body)
+	err := rl.readResourceLocator(reader)
 	if err != nil {
-		return rl, err
+		return nil, err
 	}
-	rl.body = string(body)
-
-	return rl, err
+	return rl, nil
 }
 
 // getLength - return the serialized length (in bytes) of this object