Cap server-declared num_params in StmtResponse decode

Every other count-bearing field decoded from a response already
enforces an upper bound (_MAX_COLUMN_COUNT, _MAX_FILE_COUNT,
_MAX_NODE_COUNT in responses.py, _MAX_PARAM_COUNT in tuples.py).
StmtResponse.num_params was the outlier, accepting any uint64 the
server put on the wire.

Reuse the encoder cap from tuples.py so the client and server-side
declarations stay in lockstep. A server declaring more parameters
than a well-formed prepared statement could ever bind is either
malicious or corrupt; surface as a clean DecodeError at the wire
boundary instead of passing an unchecked value upward.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: antoineleclair

src/dqlitewire/messages/responses.py

@@ -15,6 +15,7 @@
 from dqlitewire.exceptions import DecodeError, EncodeError
 from dqlitewire.messages.base import Message
 from dqlitewire.tuples import (
+    _MAX_PARAM_COUNT,
     _ROW_DONE_MARKER,
     _ROW_PART_MARKER,
     RowMarker,
@@ -267,6 +268,15 @@ def decode_body(cls, data: bytes, schema: int = 0) -> "StmtResponse":
         db_id = decode_uint32(data)
         stmt_id = decode_uint32(data[4:])
         num_params = decode_uint64(data[8:])
+        # Parity with the encoder cap in tuples.py: a server declaring a
+        # prepared-statement parameter count above _MAX_PARAM_COUNT is
+        # either malicious or corrupt. Other count-bearing decode paths
+        # (_MAX_COLUMN_COUNT, _MAX_FILE_COUNT, _MAX_NODE_COUNT) already
+        # enforce their own caps; this closes the matching gap.
+        if num_params > _MAX_PARAM_COUNT:
+            raise DecodeError(
+                f"StmtResponse num_params {num_params} exceeds maximum ({_MAX_PARAM_COUNT})"
+            )
         tail_offset = decode_uint64(data[16:]) if schema >= 1 else None
         return cls(db_id, stmt_id, num_params, tail_offset)
 

tests/test_messages_responses.py

@@ -221,6 +221,23 @@ def test_schema_1_rejects_v0_length_body(self) -> None:
         with pytest.raises(DecodeError, match="requires at least 24 bytes"):
             StmtResponse.decode_body(v0_body, schema=1)
 
+    def test_rejects_oversized_num_params(self) -> None:
+        """Defense-in-depth: cap server-declared num_params to match the
+        encoder-side _MAX_PARAM_COUNT. A malicious or corrupt server
+        returning num_params=2**63-1 produces a clean DecodeError, not
+        an unchecked value that a cautious caller could trust.
+        """
+        # Build a schema=0 body with num_params = 2**63 - 1.
+        import struct
+
+        body = (
+            struct.pack("<I", 1)  # db_id
+            + struct.pack("<I", 2)  # stmt_id
+            + struct.pack("<Q", 2**63 - 1)  # num_params (bogus)
+        )
+        with pytest.raises(DecodeError, match="num_params"):
+            StmtResponse.decode_body(body, schema=0)
+
 
 class TestResultResponse:
     def test_roundtrip(self) -> None: