Add more defensive bounds and input checks

CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changes
 
+## 2.0.0-beta.9
+
+- **SECURITY**: Fixed integer overflow vulnerability in search tree size
+  calculation that could potentially allow malformed databases to trigger
+  security issues.
+- **SECURITY**: Enhanced bounds checking in tree traversal functions to return
+  proper errors instead of silent failures when encountering malformed
+  databases.
+- Added validation for invalid prefixes in `NetworksWithin` to prevent
+  unexpected behavior with malformed input.
+
 ## 2.0.0-beta.8 - 2025-07-15
 
 - Fixed "no next offset available" error that occurred when using custom

internal/decoder/data_decoder.go

@@ -246,6 +246,8 @@ func (d *DataDecoder) decodePointer(
 		pointerValueOffset = 526336
 	case 4:
 		pointerValueOffset = 0
+	default:
+		return 0, 0, mmdberrors.NewInvalidDatabaseError("invalid pointer size: %d", pointerSize)
 	}
 
 	pointer := unpacked + pointerValueOffset
@@ -477,6 +479,8 @@ func (d *DataDecoder) sizeFromCtrlByte(
 		size = 285 + uintFromBytes(0, sizeBytes)
 	case size > 30:
 		size = uintFromBytes(0, sizeBytes) + 65821
+	default:
+		// size < 30, no modification needed
 	}
 	return size, newOffset, nil
 }

internal/decoder/reflection.go

@@ -374,6 +374,8 @@ func (d *ReflectionDecoder) unmarshalBool(
 			result.Set(reflect.ValueOf(value))
 			return newOffset, nil
 		}
+	default:
+		// Fall through to error return
 	}
 	return newOffset, mmdberrors.NewUnmarshalTypeError(value, result.Type())
 }
@@ -400,6 +402,8 @@ func (d *ReflectionDecoder) unmarshalBytes(
 			result.Set(reflect.ValueOf(value))
 			return newOffset, nil
 		}
+	default:
+		// Fall through to error return
 	}
 	return newOffset, mmdberrors.NewUnmarshalTypeError(value, result.Type())
 }
@@ -421,6 +425,8 @@ func (d *ReflectionDecoder) unmarshalFloat32(
 			result.Set(reflect.ValueOf(value))
 			return newOffset, nil
 		}
+	default:
+		// Fall through to error return
 	}
 	return newOffset, mmdberrors.NewUnmarshalTypeError(value, result.Type())
 }
@@ -445,6 +451,8 @@ func (d *ReflectionDecoder) unmarshalFloat64(
 			result.Set(reflect.ValueOf(value))
 			return newOffset, nil
 		}
+	default:
+		// Fall through to error return
 	}
 	return newOffset, mmdberrors.NewUnmarshalTypeError(value, result.Type())
 }
@@ -481,6 +489,8 @@ func (d *ReflectionDecoder) unmarshalInt32(
 			result.Set(reflect.ValueOf(value))
 			return newOffset, nil
 		}
+	default:
+		// Fall through to error return
 	}
 	return newOffset, mmdberrors.NewUnmarshalTypeError(value, result.Type())
 }
@@ -492,8 +502,6 @@ func (d *ReflectionDecoder) unmarshalMap(
 	depth int,
 ) (uint, error) {
 	switch result.Kind() {
-	default:
-		return 0, mmdberrors.NewUnmarshalTypeStrError("map", result.Type())
 	case reflect.Struct:
 		return d.decodeStruct(size, offset, result, depth)
 	case reflect.Map:
@@ -508,6 +516,8 @@ func (d *ReflectionDecoder) unmarshalMap(
 			return newOffset, err
 		}
 		return 0, mmdberrors.NewUnmarshalTypeStrError("map", result.Type())
+	default:
+		return 0, mmdberrors.NewUnmarshalTypeStrError("map", result.Type())
 	}
 }
 
@@ -556,6 +566,8 @@ func (d *ReflectionDecoder) unmarshalSlice(
 			result.Set(rv.Value)
 			return newOffset, err
 		}
+	default:
+		// Fall through to error return
 	}
 	return 0, mmdberrors.NewUnmarshalTypeStrError("array", result.Type())
 }
@@ -578,6 +590,8 @@ func (d *ReflectionDecoder) unmarshalString(
 			result.Set(reflect.ValueOf(value))
 			return newOffset, nil
 		}
+	default:
+		// Fall through to error return
 	}
 	return newOffset, mmdberrors.NewUnmarshalTypeError(value, result.Type())
 }
@@ -632,6 +646,8 @@ func (d *ReflectionDecoder) unmarshalUint(
 			result.SetUint(value)
 			return newOffset, nil
 		}
+	default:
+		// Fall through to general unmarshaling logic
 	}
 
 	switch result.Kind() {
@@ -656,6 +672,8 @@ func (d *ReflectionDecoder) unmarshalUint(
 			result.Set(reflect.ValueOf(value))
 			return newOffset, nil
 		}
+	default:
+		// Fall through to error return
 	}
 	return newOffset, mmdberrors.NewUnmarshalTypeError(value, result.Type())
 }
@@ -691,6 +709,8 @@ func (d *ReflectionDecoder) unmarshalUint128(
 			result.Set(reflect.ValueOf(value))
 			return newOffset, nil
 		}
+	default:
+		// Fall through to error return
 	}
 	return newOffset, mmdberrors.NewUnmarshalTypeError(value, result.Type())
 }
@@ -1210,6 +1230,8 @@ func (d *ReflectionDecoder) tryFastDecodeTyped(
 			addressableValue{result.Elem(), false},
 			expectedType.Elem(),
 		)
+	default:
+		// Type not supported for fast path
 	}
 
 	return 0, false