Bound out-of-range error message in int encoders

A pathologically large int passed to encode_uint64, encode_int64, or
encode_uint32 baked a kilobyte of digits into the EncodeError message,
bloating every log line and traceback that quoted it. Truncate the
stringified value to 64 digits with a "... [N digits]" tail, parity
with _truncate_error in client.cluster and the failure-response cap
already present on the decode side.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: antoineleclair

src/dqlitewire/types.py

@@ -26,11 +26,26 @@
 # ``_MAX_FILE_COUNT`` / ``_MAX_NODE_COUNT`` in spirit.
 _MAX_BLOB_SIZE = 16 * 1024 * 1024  # 16 MiB
 
+# Cap on the stringified representation of an out-of-range integer in
+# EncodeError messages. A hostile or buggy caller passing ``10 ** 500``
+# would otherwise bake a kilobyte of digits into the error text (and
+# every log line / traceback that quotes it). Parity with
+# ``_truncate_error`` in the client layer and ``_MAX_FAILURE_MESSAGE_SIZE``
+# on the decode side.
+_MAX_VALUE_REPR = 64
+
+
+def _bounded_repr(value: int) -> str:
+    s = str(value)
+    if len(s) <= _MAX_VALUE_REPR:
+        return s
+    return f"{s[:_MAX_VALUE_REPR]}... [{len(s)} digits]"
+
 
 def encode_uint64(value: int) -> bytes:
     """Encode an unsigned 64-bit integer (little-endian)."""
     if not 0 <= value < 2**64:
-        raise EncodeError(f"Value {value} out of range for uint64")
+        raise EncodeError(f"Value {_bounded_repr(value)} out of range for uint64")
     return struct.pack("<Q", value)
 
 
@@ -49,7 +64,7 @@ def decode_uint64(data: bytes | memoryview) -> int:
 def encode_int64(value: int) -> bytes:
     """Encode a signed 64-bit integer (little-endian)."""
     if not -(2**63) <= value < 2**63:
-        raise EncodeError(f"Value {value} out of range for int64")
+        raise EncodeError(f"Value {_bounded_repr(value)} out of range for int64")
     return struct.pack("<q", value)
 
 
@@ -67,7 +82,7 @@ def decode_int64(data: bytes | memoryview) -> int:
 def encode_uint32(value: int) -> bytes:
     """Encode an unsigned 32-bit integer (little-endian)."""
     if not 0 <= value < 2**32:
-        raise EncodeError(f"Value {value} out of range for uint32")
+        raise EncodeError(f"Value {_bounded_repr(value)} out of range for uint32")
     return struct.pack("<I", value)
 
 

tests/test_types.py

@@ -84,6 +84,35 @@ def test_encode_underflow_fails(self) -> None:
         with pytest.raises(EncodeError):
             encode_int64(-(2**63) - 1)
 
+    def test_encode_overflow_error_message_is_bounded(self) -> None:
+        """A pathologically large int must not produce a multi-kB error
+        message. Parity with _truncate_error in client.cluster and the
+        failure-response cap in responses.py: attacker-or-bug-controlled
+        input should surface a bounded diagnostic, not a kilobyte of
+        digits.
+        """
+        huge = 10**500
+        with pytest.raises(EncodeError) as exc_info:
+            encode_int64(huge)
+        assert len(str(exc_info.value)) < 256
+        assert "out of range for int64" in str(exc_info.value)
+
+
+class TestOverflowMessageBounds:
+    """Cross-encoder parity for bounded overflow error messages."""
+
+    def test_uint64_overflow_message_bounded(self) -> None:
+        with pytest.raises(EncodeError) as exc_info:
+            encode_uint64(10**500)
+        assert len(str(exc_info.value)) < 256
+        assert "out of range for uint64" in str(exc_info.value)
+
+    def test_uint32_overflow_message_bounded(self) -> None:
+        with pytest.raises(EncodeError) as exc_info:
+            encode_uint32(10**500)
+        assert len(str(exc_info.value)) < 256
+        assert "out of range for uint32" in str(exc_info.value)
+
 
 class TestUint32:
     def test_encode_zero(self) -> None: