Add bounds check suggested by Copilot

oschwald · oschwald · commit 2bb951e88f8b · 2025-06-22T15:28:07.000-07:00
diff --git a/internal/decoder/decoder.go b/internal/decoder/decoder.go
@@ -224,6 +224,14 @@ func (d *Decoder) DecodeUInt128() (hi, lo uint64, err error) {
 		)
 	}
 
+	if offset+size > uint(len(d.d.buffer)) {
+		return 0, 0, mmdberrors.NewInvalidDatabaseError(
+			"the MaxMind DB file's data section contains bad data (offset+size %d exceeds buffer length %d)",
+			offset+size,
+			len(d.d.buffer),
+		)
+	}
+
 	for _, b := range d.d.buffer[offset : offset+size] {
 		var carry byte
 		lo, carry = append64(lo, b)
@@ -392,6 +400,13 @@ func (d *Decoder) decodeBytes(typ Type) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
+	if offset+size > uint(len(d.d.buffer)) {
+		return nil, mmdberrors.NewInvalidDatabaseError(
+			"the MaxMind DB file's data section contains bad data (offset+size %d exceeds buffer length %d)",
+			offset+size,
+			len(d.d.buffer),
+		)
+	}
 	d.setNextOffset(offset + size)
 	return d.d.buffer[offset : offset+size], nil
 }
diff --git a/internal/decoder/decoder_test.go b/internal/decoder/decoder_test.go
@@ -366,3 +366,32 @@ func TestPointersInDecoder(t *testing.T) {
 		})
 	}
 }
+
+// TestBoundsChecking verifies that buffer access is properly bounds-checked
+// to prevent panics on malformed databases.
+func TestBoundsChecking(t *testing.T) {
+	// Create a very small buffer that would cause out-of-bounds access
+	// if bounds checking is not working
+	smallBuffer := []byte{0x44, 0x41} // Type string (0x4), size 4, but only 2 bytes total
+	dd := NewDataDecoder(smallBuffer)
+	decoder := &Decoder{d: dd, offset: 0}
+
+	// This should fail gracefully with an error instead of panicking
+	_, err := decoder.DecodeString()
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "exceeds buffer length")
+
+	// Test DecodeBytes bounds checking
+	_, err = decoder.decodeBytes(TypeBytes)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "exceeds buffer length")
+
+	// Test DecodeUInt128 bounds checking
+	largeBuffer := []byte{0x0B, 0x01} // Type uint128 (0x0), size 11, but only 2 bytes total
+	dd2 := NewDataDecoder(largeBuffer)
+	decoder2 := &Decoder{d: dd2, offset: 0}
+
+	_, _, err = decoder2.DecodeUInt128()
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "exceeds buffer length")
+}
