Enforce the parameter-count cap on encode_params_tuple

antoineleclair · claude · antoineleclair · commit 5647b89a5d20 · 2026-04-18T16:01:21.000-04:00
decode_params_tuple caps the decoded parameter count at
_MAX_PARAM_COUNT (100_000) as defense in depth; the encoder did not
mirror the same check for schema 1 (uint32 count). V0 has a 255 cap
from the 1-byte count field, but V1 is selected automatically whenever
the caller passes more than 255 parameters, so an accidental giant
params sequence burned an unbounded amount of allocation before the
64 MiB frame cap eventually fired with an opaque "buffer size exceeds
maximum" error.

Raise EncodeError with the same "exceeds maximum" shape the decoder
uses, placed after schema validation so the check fires uniformly
regardless of the short-circuit paths for empty params sequences.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/dqlitewire/tuples.py b/src/dqlitewire/tuples.py
@@ -52,6 +52,15 @@ def encode_params_tuple(params: Sequence[Any], schema: int = 0, buffer_offset: i
     if schema not in (0, 1):
         raise EncodeError(f"Unsupported params tuple schema version: {schema} (expected 0 or 1)")
 
+    # Mirror the decoder's defense-in-depth cap so that a caller who
+    # accidentally passes an enormous params sequence (e.g. from a bug
+    # that builds WHERE IN (?,...) with millions of placeholders) fails
+    # fast with a clear message instead of burning allocations until the
+    # 64 MiB frame cap fires with an opaque "buffer size exceeds maximum"
+    # error.
+    if len(params) > _MAX_PARAM_COUNT:
+        raise EncodeError(f"Parameter count {len(params)} exceeds maximum ({_MAX_PARAM_COUNT})")
+
     if not params:
         # Go writes nothing for empty params
         return b""
diff --git a/tests/test_tuples.py b/tests/test_tuples.py
@@ -614,3 +614,22 @@ def test_v0_count_within_cap_succeeds(self) -> None:
         data = b"\x00" + b"\x00" * 7  # count=0, padded to 8 bytes
         result, _ = decode_params_tuple(data, schema=0)
         assert result == []
+
+
+class TestParamsTupleEncoderMaxCount:
+    """encode_params_tuple should mirror decode_params_tuple's cap."""
+
+    def test_encoder_rejects_excess_count(self) -> None:
+        from dqlitewire.tuples import _MAX_PARAM_COUNT
+
+        params = [0] * (_MAX_PARAM_COUNT + 1)
+        with pytest.raises(EncodeError, match="exceeds maximum"):
+            encode_params_tuple(params, schema=1)
+
+    def test_exec_request_rejects_excess_params(self) -> None:
+        from dqlitewire.messages.requests import ExecRequest
+        from dqlitewire.tuples import _MAX_PARAM_COUNT
+
+        req = ExecRequest(db_id=1, stmt_id=1, params=[0] * (_MAX_PARAM_COUNT + 1))
+        with pytest.raises(EncodeError, match="exceeds maximum"):
+            req.encode()
