fix: reject negative n in read_bytes and peek_bytes

antoineleclair · claude · antoineleclair · commit 0ca2ce8db7ae · 2026-04-15T12:41:28.000-04:00
read_bytes(-n) silently decremented _pos, corrupting the buffer and
allowing re-reads of already-consumed data. peek_bytes(-n) returned
empty bytes without error. Both now raise ValueError for negative n.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/dqlitewire/buffer.py b/src/dqlitewire/buffer.py
@@ -403,7 +403,10 @@ def read_bytes(self, n: int) -> bytes | None:
 
         Returns None if not enough data available.
         Raises ``ProtocolError`` if the buffer is poisoned.
+        Raises ``ValueError`` if *n* is negative.
         """
+        if n < 0:
+            raise ValueError(f"n must be non-negative, got {n}")
         self._check_poisoned()
         available = len(self._data) - self._pos
         if available < n:
@@ -430,7 +433,10 @@ def peek_bytes(self, n: int) -> bytes | None:
         validate the bytes before deciding whether to consume them.
 
         Raises ``ProtocolError`` if the buffer is poisoned.
+        Raises ``ValueError`` if *n* is negative.
         """
+        if n < 0:
+            raise ValueError(f"n must be non-negative, got {n}")
         self._check_poisoned()
         available = len(self._data) - self._pos
         if available < n:
diff --git a/tests/test_buffer.py b/tests/test_buffer.py
@@ -118,6 +118,27 @@ def test_read_bytes_not_enough(self) -> None:
         assert data is None
         assert buf.available() == 2
 
+    def test_read_bytes_negative_n_raises(self) -> None:
+        """read_bytes with negative n must raise, not corrupt _pos."""
+        import pytest
+
+        buf = ReadBuffer()
+        buf.feed(b"hello world")
+        with pytest.raises(ValueError, match="non-negative"):
+            buf.read_bytes(-1)
+        # Buffer state must be unchanged
+        assert buf.available() == 11
+
+    def test_peek_bytes_negative_n_raises(self) -> None:
+        """peek_bytes with negative n must raise, not return empty bytes."""
+        import pytest
+
+        buf = ReadBuffer()
+        buf.feed(b"hello world")
+        with pytest.raises(ValueError, match="non-negative"):
+            buf.peek_bytes(-1)
+        assert buf.available() == 11
+
     def test_has_message_incomplete(self) -> None:
         buf = ReadBuffer()
         # Feed only header
