Merging this PR will not alter performance

✅ 14 untouched benchmarks

_{Comparing bound_read_string_record_length (c6111f9) with master (4ff6540)¹}

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.77%. Comparing base (b22c8ff) to head (c6111f9).
⚠️ Report is 2 commits behind head on master.

@@           Coverage Diff           @@
##           master    #1756   +/-   ##
=======================================
  Coverage   99.77%   99.77%           
=======================================
  Files          33       33           
  Lines        3497     3508   +11     
  Branches      489      493    +4     
=======================================
+ Hits         3489     3500   +11     
  Misses          5        5           
  Partials        3        3           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@bluetoothbot review

Good catch, addressed in c6111f9; added a per-record post-check in _read_others that drops the record and resyncs to the declared rdlength end when the inner reads consume a different number of bytes than the rdlength claimed, plus a regression test with a second valid record proving resync recovers it.

PR Review — fix: bound record payload reads against rdlength overrun

Solid fix. The two-layer approach — packet-level bounds in _read_string/_read_character_string plus the per-record self.offset != end post-check in _read_others — correctly addresses both the silent-truncation case (PR description) and the record-boundary-overrun case (raised by the Copilot reviewer and addressed in c6111f9). Tests cover TXT, HINFO, and A overruns plus the over-consume/resync case with a follow-on record that proves framing recovers. Type widths stay unsigned int per incoming.pxd, so the comparison stays a pure C unsigned compare in the Cython build with no sign-extension risk. Only nits are CLAUDE.md docstring style on two test cases and a defensive observation about end > _data_len resync; neither blocks merge.

🟢 Suggestions

    """A TXT record with rdlength past the buffer must not enter the cache.

    Python slicing silently truncates when the slice end exceeds the buffer,
    so without a bounds check in ``_read_string`` a malformed wire frame
    would land in the cache carrying a payload shorter than the rdlength
    declared, leaving the parser desynchronized for downstream records.
    """

Checklist

• Input validation at boundaries (incoming wire data)
• No silent truncation of attacker-controlled length fields
• Error handling propagates to existing decode-skip path
• No resource leaks introduced
• Cython type signedness preserved (unsigned int end-to-end)
• Test coverage for new branches (overrun + resync)
• Test docstrings follow CLAUDE.md style — suggestion ＃1
• Resync offset bounded against _data_len — suggestion ＃2

Summary

Solid fix. The two-layer approach — packet-level bounds in _read_string/_read_character_string plus the per-record self.offset != end post-check in _read_others — correctly addresses both the silent-truncation case (PR description) and the record-boundary-overrun case (raised by the Copilot reviewer and addressed in c6111f9). Tests cover TXT, HINFO, and A overruns plus the over-consume/resync case with a follow-on record that proves framing recovers. Type widths stay unsigned int per incoming.pxd, so the comparison stays a pure C unsigned compare in the Cython build with no sign-extension risk. Only nits are CLAUDE.md docstring style on two test cases and a defensive observation about end > _data_len resync; neither blocks merge.

Automated review by Kōand23b029
c6111f9