@marcuspuchalla/nachos 0.1.0 → 0.1.3

package/src/encoder/__tests__/cbor-string-encoder.test.ts

@@ -329,6 +329,20 @@ describe('CBOR String Encoder', () => {
       expect(() => encodeByteStringIndefinite([new Uint8Array([1])]))
         .toThrow('Indefinite-length encoding not allowed in canonical mode')
     })
+
+    it('should reject allowIndefinite=false for text strings', () => {
+      const { encodeTextStringIndefinite } = useCborStringEncoder({ allowIndefinite: false })
+
+      expect(() => encodeTextStringIndefinite(['a', 'b']))
+        .toThrow('Indefinite-length encoding is not allowed')
+    })
+
+    it('should reject allowIndefinite=false for byte strings', () => {
+      const { encodeByteStringIndefinite } = useCborStringEncoder({ allowIndefinite: false })
+
+      expect(() => encodeByteStringIndefinite([new Uint8Array([1])]))
+        .toThrow('Indefinite-length encoding is not allowed')
+    })
   })
 
   describe('Byte string array handling', () => {

package/src/encoder/composables/useCborCollectionEncoder.ts

@@ -105,6 +105,9 @@ export function useCborCollectionEncoder(globalOptions?: Partial<EncodeOptions>)
       const newCtx = { ...ctx, depth: ctx.depth + 1 }
 
       if (isIndefinite) {
+        if (ctx.options.allowIndefinite === false) {
+          throw new Error('Indefinite-length encoding is not allowed')
+        }
         // Use indefinite encoding - but need to recursively encode items
         const parts: Uint8Array[] = [new Uint8Array([0x9f])]  // Start marker
         for (const item of value) {
@@ -130,6 +133,9 @@ export function useCborCollectionEncoder(globalOptions?: Partial<EncodeOptions>)
       const newCtx = { ...ctx, depth: ctx.depth + 1 }
 
       if (isIndefinite) {
+        if (ctx.options.allowIndefinite === false) {
+          throw new Error('Indefinite-length encoding is not allowed')
+        }
         // Use indefinite encoding
         const entries: Array<[EncodableValue, EncodableValue]> =
           value instanceof Map
@@ -233,6 +239,9 @@ export function useCborCollectionEncoder(globalOptions?: Partial<EncodeOptions>)
 
     // Handle indefinite-length encoding
     if (encodeOptions?.indefinite || isIndefinite) {
+      if (options.allowIndefinite === false) {
+        throw new Error('Indefinite-length encoding is not allowed')
+      }
       if (options.canonical) {
         throw new Error('Indefinite-length encoding not allowed in canonical mode')
       }
@@ -256,6 +265,9 @@ export function useCborCollectionEncoder(globalOptions?: Partial<EncodeOptions>)
    * @returns Encoded CBOR bytes and hex string
    */
   const encodeArrayIndefinite = (array: EncodableValue[]): EncodeResult => {
+    if (options.allowIndefinite === false) {
+      throw new Error('Indefinite-length encoding is not allowed')
+    }
     if (options.canonical) {
       throw new Error('Indefinite-length encoding not allowed in canonical mode')
     }
@@ -313,6 +325,18 @@ export function useCborCollectionEncoder(globalOptions?: Partial<EncodeOptions>)
       })
     }
 
+    if (ctx.options.rejectDuplicateKeys) {
+      const seen = new Set<string>()
+      for (const [key] of entries) {
+        const keyBytes = encodeValue(key, { ...ctx, depth: ctx.depth + 1, bytesWritten: 0 })
+        const keyHex = bytesToHex(keyBytes)
+        if (seen.has(keyHex)) {
+          throw new Error('Duplicate map key detected')
+        }
+        seen.add(keyHex)
+      }
+    }
+
     const header = encodeLengthHeader(5, entries.length)
     const parts: Uint8Array[] = [header]
 
@@ -354,6 +378,9 @@ export function useCborCollectionEncoder(globalOptions?: Partial<EncodeOptions>)
 
     // Handle indefinite-length encoding
     if (encodeOptions?.indefinite || isIndefinite) {
+      if (options.allowIndefinite === false) {
+        throw new Error('Indefinite-length encoding is not allowed')
+      }
       if (options.canonical) {
         throw new Error('Indefinite-length encoding not allowed in canonical mode')
       }
@@ -379,6 +406,9 @@ export function useCborCollectionEncoder(globalOptions?: Partial<EncodeOptions>)
   const encodeMapIndefinite = (
     map: Map<EncodableValue, EncodableValue> | { [key: string]: EncodableValue }
   ): EncodeResult => {
+    if (options.allowIndefinite === false) {
+      throw new Error('Indefinite-length encoding is not allowed')
+    }
     if (options.canonical) {
       throw new Error('Indefinite-length encoding not allowed in canonical mode')
     }

package/src/encoder/composables/useCborEncoder.ts

@@ -42,6 +42,11 @@ import { useCborByteString, useCborTextString } from '../../parser/composables/u
 export function useCborEncoder(globalOptions?: Partial<EncodeOptions>) {
   const options = { ...DEFAULT_ENCODE_OPTIONS, ...globalOptions }
 
+  // Canonical mode overrides: indefinite-length is forbidden per RFC 8949 Section 4.2
+  if (options.canonical && options.allowIndefinite) {
+    options.allowIndefinite = false
+  }
+
   // Get all specialized encoders
   const { encodeInteger } = useCborIntegerEncoder()
   const { encodeTextString, encodeByteString } = useCborStringEncoder(options)
@@ -78,7 +83,7 @@ export function useCborEncoder(globalOptions?: Partial<EncodeOptions>) {
     // Handle numbers
     if (typeof value === 'number') {
       // Check if it's an integer
-      if (Number.isInteger(value) && Number.isSafeInteger(value)) {
+      if (Number.isSafeInteger(value)) {
         return encodeInteger(value)
       }
       // It's a float

package/src/encoder/composables/useCborSimpleEncoder.ts

@@ -91,10 +91,15 @@ export function useCborSimpleEncoder(_globalOptions?: Partial<EncodeOptions>) {
     let exp16: number
     let mant16: number
 
-    if (exp64 < -14) {
-      // Subnormal or zero
+    if (exp64 < -24) {
+      // Too small even for subnormal float16
       exp16 = 0
       mant16 = 0
+    } else if (exp64 < -14) {
+      // Subnormal float16: shift the implicit 1.mantissa into the fraction bits
+      exp16 = 0
+      const shift = -14 - exp64
+      mant16 = (((1 << 10) | (mant64 >> 42)) + ((1 << (shift - 1)) - 1)) >> shift
     } else if (exp64 > 15) {
       // Overflow to infinity
       exp16 = 31

package/src/encoder/composables/useCborStringEncoder.ts

@@ -106,6 +106,9 @@ export function useCborStringEncoder(globalOptions?: Partial<EncodeOptions>) {
 
     // Handle indefinite-length encoding
     if (encodeOptions?.indefinite || Array.isArray(data) || isIndefinite) {
+      if (options.allowIndefinite === false) {
+        throw new Error('Indefinite-length encoding is not allowed')
+      }
       if (options.canonical) {
         throw new Error('Indefinite-length encoding not allowed in canonical mode')
       }
@@ -122,14 +125,15 @@ export function useCborStringEncoder(globalOptions?: Partial<EncodeOptions>) {
 
     // Definite-length encoding - extract bytes from CborByteString if needed
     const bytes = isCborByteString(data) ? data.bytes : (data as Uint8Array)
-    const header = encodeLengthHeader(2, bytes.length)
-    const result = concatenateUint8Arrays([header, bytes])
 
-    // Check output size limit
-    if (result.length > options.maxOutputSize) {
-      throw new Error('Encoded output exceeds maximum size')
+    // Check size limit before allocating (header is at most 9 bytes)
+    if (bytes.length + 9 > options.maxOutputSize) {
+      throw new Error(`Encoded output exceeds maximum size`)
     }
 
+    const header = encodeLengthHeader(2, bytes.length)
+    const result = concatenateUint8Arrays([header, bytes])
+
     return {
       bytes: result,
       hex: bytesToHex(result)
@@ -146,6 +150,9 @@ export function useCborStringEncoder(globalOptions?: Partial<EncodeOptions>) {
    * @returns Encoded CBOR bytes and hex string
    */
   const encodeByteStringIndefinite = (chunks: Uint8Array[]): EncodeResult => {
+    if (options.allowIndefinite === false) {
+      throw new Error('Indefinite-length encoding is not allowed')
+    }
     if (options.canonical) {
       throw new Error('Indefinite-length encoding not allowed in canonical mode')
     }
@@ -187,6 +194,9 @@ export function useCborStringEncoder(globalOptions?: Partial<EncodeOptions>) {
 
     // Handle indefinite-length encoding
     if (encodeOptions?.indefinite || isIndefinite) {
+      if (options.allowIndefinite === false) {
+        throw new Error('Indefinite-length encoding is not allowed')
+      }
       if (options.canonical) {
         throw new Error('Indefinite-length encoding not allowed in canonical mode')
       }
@@ -208,14 +218,14 @@ export function useCborStringEncoder(globalOptions?: Partial<EncodeOptions>) {
     const encoder = new TextEncoder()
     const utf8Bytes = encoder.encode(textStr)
 
+    // Check size limit before allocating (header is at most 9 bytes)
+    if (utf8Bytes.length + 9 > options.maxOutputSize) {
+      throw new Error(`Encoded output exceeds maximum size`)
+    }
+
     const header = encodeLengthHeader(3, utf8Bytes.length)
     const result = concatenateUint8Arrays([header, utf8Bytes])
 
-    // Check output size limit
-    if (result.length > options.maxOutputSize) {
-      throw new Error('Encoded output exceeds maximum size')
-    }
-
     return {
       bytes: result,
       hex: bytesToHex(result)
@@ -232,6 +242,9 @@ export function useCborStringEncoder(globalOptions?: Partial<EncodeOptions>) {
    * @returns Encoded CBOR bytes and hex string
    */
   const encodeTextStringIndefinite = (chunks: string[]): EncodeResult => {
+    if (options.allowIndefinite === false) {
+      throw new Error('Indefinite-length encoding is not allowed')
+    }
     if (options.canonical) {
       throw new Error('Indefinite-length encoding not allowed in canonical mode')
     }

package/src/parser/__tests__/cbor-float-errors.test.ts

@@ -211,6 +211,47 @@ describe('useCborFloat - Error Handling', () => {
     })
   })
 
+  describe('Canonical float validation', () => {
+    it('should reject float32 when value fits in float16', () => {
+      const { parseFloat } = useCborFloat()
+
+      // 1.0 fits in float16, but encoded as float32
+      expect(() => parseFloat('fa3f800000', { validateCanonical: true }))
+        .toThrow(/canonical.*float16/i)
+    })
+
+    it('should reject float64 when value fits in float32', () => {
+      const { parseFloat } = useCborFloat()
+
+      // 1.0 fits in float32, but encoded as float64
+      expect(() => parseFloat('fb3ff0000000000000', { validateCanonical: true }))
+        .toThrow(/canonical.*float16\/float32/i)
+    })
+
+    it('should reject non-canonical NaN encodings for float32/float64', () => {
+      const { parseFloat } = useCborFloat()
+
+      // Float16 NaN with non-canonical payload
+      expect(() => parseFloat('f97e01', { validateCanonical: true }))
+        .toThrow(/nan/i)
+
+      // Float32 NaN
+      expect(() => parseFloat('fa7fc00000', { validateCanonical: true }))
+        .toThrow(/nan/i)
+
+      // Float64 NaN
+      expect(() => parseFloat('fb7ff8000000000001', { validateCanonical: true }))
+        .toThrow(/nan/i)
+    })
+
+    it('should accept float16 when canonical validation is enabled', () => {
+      const { parseFloat } = useCborFloat()
+
+      const result = parseFloat('f93e00', { validateCanonical: true })
+      expect(result.value).toBe(1.5)
+    })
+  })
+
   describe('Wrong Major Type in parse()', () => {
     it('should throw error when auto-detecting with wrong major type', () => {
       const { parse } = useCborFloat()

package/src/parser/__tests__/cbor-security-dos-protection.test.ts

@@ -261,8 +261,8 @@ describe('RUSTSEC-2019-0025: Tag Nesting Stack Overflow Protection', () => {
     it('should use default tag depth limit when not specified', () => {
       const { parseTag } = useCborTag()
 
-      // 100 nested tags (exceeds default 64)
-      const nested = 'c0'.repeat(100) + '00'
+      // 150 nested tags (exceeds default 100)
+      const nested = 'c0'.repeat(150) + '00'
 
       expect(() => parseTag(nested)) // No options = use defaults
         .toThrow(/tag nesting depth.*exceeds/i)

package/src/parser/__tests__/cbor-standard-tags.test.ts

@@ -221,6 +221,35 @@ describe('CBOR Standard Tags (RFC 8949)', () => {
     })
   })
 
+  describe('Tags 2-3: Bignums', () => {
+    it('should parse tag 2 with byte string', () => {
+      // c2 (tag 2) + 41 (1-byte byte string) + 01
+      const hex = 'c24101'
+      const result = parse(hex)
+
+      expect(result.value).toMatchObject({
+        tag: 2,
+        value: 1n
+      })
+    })
+
+    it('should reject non-byte-string tag 2 in strict mode', () => {
+      // c2 (tag 2) + 01 (integer)
+      const hex = 'c201'
+
+      expect(() => parse(hex, { strict: true, validateTagSemantics: true }))
+        .toThrow(/byte string/i)
+    })
+
+    it('should reject non-byte-string tag 3 in strict mode', () => {
+      // c3 (tag 3) + 01 (integer)
+      const hex = 'c301'
+
+      expect(() => parse(hex, { strict: true, validateTagSemantics: true }))
+        .toThrow(/byte string/i)
+    })
+  })
+
   describe('Tag 32: URI', () => {
     it('should parse valid URI', () => {
       // d8 20 (tag 32) + 76 (22-byte text) + "http://www.example.com"

package/src/parser/__tests__/cbor-string-errors.test.ts

@@ -112,8 +112,8 @@ describe('useCborString - Error Handling', () => {
       // 5f (indefinite byte string) + 6161 (text "a") + ff (break)
       const buffer = new Uint8Array([0x5f, 0x61, 0x61, 0xff])
 
-      // The error is thrown when trying to parse the text string as a byte string
-      expect(() => parseByteString(buffer, 0)).toThrow('Expected major type 2')
+      // The error is thrown when validating the chunk type
+      expect(() => parseByteString(buffer, 0)).toThrow('chunks must be byte strings')
     })
   })
 
@@ -125,8 +125,8 @@ describe('useCborString - Error Handling', () => {
       // 7f (indefinite text string) + 4161 (byte string containing 'a') + ff (break)
       const buffer = new Uint8Array([0x7f, 0x41, 0x61, 0xff])
 
-      // The error is thrown when trying to parse the byte string as a text string
-      expect(() => parseTextString(buffer, 0)).toThrow('Expected major type 3')
+      // The error is thrown when validating the chunk type
+      expect(() => parseTextString(buffer, 0)).toThrow('chunks must be text strings')
     })
   })
 

package/src/parser/__tests__/cbor-tag-errors.test.ts

@@ -20,7 +20,7 @@ describe('useCborTag - Error Handling', () => {
 
       // Tag with array that's incomplete
       // c1 (tag 1) + 82 (array of 2) + 01 (element 1) - missing element 2
-      expect(() => parseTag('c18201')).toThrow('Unexpected end of buffer at offset')
+      expect(() => parseTag('c18201')).toThrow('Unexpected end of buffer')
     })
   })
 

package/src/parser/composables/useCborFloat.ts

@@ -62,6 +62,58 @@ export function useCborFloat() {
     return (sign === 0 ? 1 : -1) * Math.pow(2, exponent - 15) * (1 + fraction / 1024)
   }
 
+  /**
+   * Checks if a float64 value can be exactly represented as float16
+   * Used for canonical encoding validation (RFC 8949 Section 4.2.2)
+   */
+  const fitsInFloat16 = (value: number): boolean => {
+    if (Number.isNaN(value) || value === Infinity || value === -Infinity) return true
+    if (Object.is(value, 0) || Object.is(value, -0)) return true
+
+    const abs = Math.abs(value)
+    // Float16 range: subnormals ~5.96e-8 to max normal 65504
+    if (abs > 65504) return false
+    if (abs < 5.960464477539063e-8) return false
+
+    // Encode to float16 and back to see if value is preserved
+    const sign = value < 0 ? 1 : 0
+    const buf = new ArrayBuffer(8)
+    const view = new DataView(buf)
+    view.setFloat64(0, abs, false)
+    const bits64 = view.getBigUint64(0, false)
+    const exp64 = Number((bits64 >> 52n) & 0x7ffn) - 1023
+    const mant64 = Number(bits64 & 0xfffffffffffffn)
+
+    let exp16: number
+    let mant16: number
+    if (exp64 < -14) {
+      // Subnormal float16
+      exp16 = 0
+      const shift = -14 - exp64
+      mant16 = ((1 << 10) | (mant64 >> 42)) >> shift
+    } else if (exp64 > 15) {
+      return false
+    } else {
+      exp16 = exp64 + 15
+      mant16 = mant64 >> 42
+    }
+
+    const float16Bits = (sign << 15) | (exp16 << 10) | mant16
+    // Decode back
+    const s = (float16Bits & 0x8000) >> 15
+    const e = (float16Bits & 0x7c00) >> 10
+    const f = float16Bits & 0x03ff
+    let reconstructed: number
+    if (e === 0) {
+      reconstructed = (s === 0 ? 1 : -1) * Math.pow(2, -14) * (f / 1024)
+    } else if (e === 0x1f) {
+      reconstructed = f === 0 ? (s === 0 ? Infinity : -Infinity) : NaN
+    } else {
+      reconstructed = (s === 0 ? 1 : -1) * Math.pow(2, e - 15) * (1 + f / 1024)
+    }
+    return reconstructed === value
+  }
+
   /**
    * Parses simple values (booleans, null, undefined, unassigned)
    *
@@ -142,7 +194,7 @@ export function useCborFloat() {
    * @param offset - Current offset
    * @returns Parsed float and bytes read
    */
-  const parseFloatFromBuffer = (buffer: Uint8Array, offset: number): ParseResult => {
+  const parseFloatFromBuffer = (buffer: Uint8Array, offset: number, options?: ParseOptions): ParseResult => {
     const initialByte = readByte(buffer, offset)
     const { majorType, additionalInfo } = extractCborHeader(initialByte)
 
@@ -156,6 +208,16 @@ export function useCborFloat() {
           if (offset + 2 >= buffer.length) {
             throw new Error('Unexpected end of buffer while reading Float16')
           }
+          if (options?.validateCanonical) {
+            const byte1 = readByte(buffer, offset + 1)
+            const byte2 = readByte(buffer, offset + 2)
+            const bits = (byte1 << 8) | byte2
+            const exp = (bits >> 10) & 0x1f
+            const mant = bits & 0x03ff
+            if (exp === 0x1f && mant !== 0 && bits !== 0x7e00) {
+              throw new Error('Non-canonical NaN encoding: use 0xf97e00')
+            }
+          }
           const value = float16ToFloat64(buffer, offset + 1)
           return { value, bytesRead: 3 }
         }
@@ -168,6 +230,15 @@ export function useCborFloat() {
           // Use DataView for proper IEEE 754 parsing
           const dataView = new DataView(buffer.buffer, buffer.byteOffset + offset + 1, 4)
           const value = dataView.getFloat32(0, false) // false = big-endian
+          if (options?.validateCanonical) {
+            if (Number.isNaN(value)) {
+              throw new Error('Non-canonical NaN encoding: NaN must use float16 0xf97e00')
+            }
+            // Check if value could be represented as float16 (shortest form)
+            if (fitsInFloat16(value)) {
+              throw new Error('Non-canonical float32: value fits in float16, use shortest encoding')
+            }
+          }
           return { value, bytesRead: 5 }
         }
 
@@ -179,6 +250,20 @@ export function useCborFloat() {
           // Use DataView for proper IEEE 754 parsing
           const dataView = new DataView(buffer.buffer, buffer.byteOffset + offset + 1, 8)
           const value = dataView.getFloat64(0, false) // false = big-endian
+          if (options?.validateCanonical) {
+            if (Number.isNaN(value)) {
+              throw new Error('Non-canonical NaN encoding: NaN must use float16 0xf97e00')
+            }
+            // Check if value could be represented in a smaller float
+            if (fitsInFloat16(value)) {
+              throw new Error('Non-canonical float64: value fits in float16/float32, use shortest encoding')
+            }
+            // Check if float64 value fits in float32
+            const f32 = Math.fround(value)
+            if (f32 === value || (Object.is(value, -0) && Object.is(f32, -0))) {
+              throw new Error('Non-canonical float64: value fits in float16/float32, use shortest encoding')
+            }
+          }
           return { value, bytesRead: 9 }
         }
 
@@ -194,7 +279,7 @@ export function useCborFloat() {
    * @param offset - Current offset
    * @returns Parsed value and bytes read
    */
-  const parseFromBuffer = (buffer: Uint8Array, offset: number): ParseResult => {
+  const parseFromBuffer = (buffer: Uint8Array, offset: number, options?: ParseOptions): ParseResult => {
     const initialByte = readByte(buffer, offset)
     const { majorType, additionalInfo } = extractCborHeader(initialByte)
 
@@ -205,7 +290,7 @@ export function useCborFloat() {
     // Determine if it's a float or simple value based on additional info
     if (additionalInfo === 25 || additionalInfo === 26 || additionalInfo === 27) {
       // Float16, Float32, or Float64
-      return parseFloatFromBuffer(buffer, offset)
+      return parseFloatFromBuffer(buffer, offset, options)
     } else {
       // Simple value (including false, true, null, undefined)
       return parseSimpleFromBuffer(buffer, offset)
@@ -216,7 +301,7 @@ export function useCborFloat() {
    * Parses CBOR simple value from hex string
    *
    * @param hexString - CBOR hex string
-   * @param _options - Parser options (optional, for future use)
+   * @param _options - Parser options (reserved for future use)
    * @returns Parsed simple value and bytes read
    */
   const parseSimple = (hexString: string, _options?: ParseOptions): ParseResult => {
@@ -231,9 +316,9 @@ export function useCborFloat() {
    * @param _options - Parser options (optional, for future use)
    * @returns Parsed float and bytes read
    */
-  const parseFloat = (hexString: string, _options?: ParseOptions): ParseResult => {
+  const parseFloat = (hexString: string, options?: ParseOptions): ParseResult => {
     const buffer = hexToBytes(hexString)
-    return parseFloatFromBuffer(buffer, 0)
+    return parseFloatFromBuffer(buffer, 0, options)
   }
 
   /**
@@ -243,9 +328,9 @@ export function useCborFloat() {
    * @param _options - Parser options (optional, for future use)
    * @returns Parsed value and bytes read
    */
-  const parse = (hexString: string, _options?: ParseOptions): ParseResult => {
+  const parse = (hexString: string, options?: ParseOptions): ParseResult => {
     const buffer = hexToBytes(hexString)
-    return parseFromBuffer(buffer, 0)
+    return parseFromBuffer(buffer, 0, options)
   }
 
   return {

package/src/parser/composables/useCborParser.ts

@@ -793,25 +793,6 @@ export function useCborParser() {
     }
   }
 
-  /**
-   * Get tag number for description
-   * Note: Reserved for future tag description features
-   */
-  // const getTagNumber = (buffer: Uint8Array, offset: number): number => {
-  //   const initialByte = readByte(buffer, offset)
-  //   const { additionalInfo } = extractCborHeader(initialByte)
-  //
-  //   if (additionalInfo < 24) return additionalInfo
-  //   if (additionalInfo === 24) return readByte(buffer, offset + 1)
-  //   if (additionalInfo === 25) return readUint(buffer, offset + 1, 2)
-  //   if (additionalInfo === 26) return readUint(buffer, offset + 1, 4)
-  //   if (additionalInfo === 27) {
-  //     const bigNum = readBigUint(buffer, offset + 1, 8)
-  //     return bigNum <= BigInt(Number.MAX_SAFE_INTEGER) ? Number(bigNum) : -1
-  //   }
-  //   return -1
-  // }
-
   /**
    * Get simple type description
    */

package/src/parser/composables/useCborString.ts

@@ -133,8 +133,17 @@ export function useCborString() {
           break
         }
 
-        // Parse chunk (must be definite-length byte string)
-        // Use try-catch to provide better error context for indefinite strings
+        // Validate chunk is definite-length (RFC 8949 Section 3.2.3)
+        const chunkInitialByte = readByte(buffer, currentOffset)
+        const chunkHeader = extractCborHeader(chunkInitialByte)
+        if (chunkHeader.majorType !== 2) {
+          throw new Error(`Indefinite byte string chunks must be byte strings (major type 2), got ${chunkHeader.majorType}`)
+        }
+        if (chunkHeader.additionalInfo === 31) {
+          throw new Error('Indefinite byte string chunks must be definite-length (RFC 8949 Section 3.2.3)')
+        }
+
+        // Parse chunk
         let chunkResult
         try {
           chunkResult = parseByteString(buffer, currentOffset, options)
@@ -237,8 +246,17 @@ export function useCborString() {
           break
         }
 
-        // Parse chunk (must be definite-length text string)
-        // Use try-catch to provide better error context for indefinite strings
+        // Validate chunk is definite-length (RFC 8949 Section 3.2.3)
+        const chunkInitialByte = readByte(buffer, currentOffset)
+        const chunkHeader = extractCborHeader(chunkInitialByte)
+        if (chunkHeader.majorType !== 3) {
+          throw new Error(`Indefinite text string chunks must be text strings (major type 3), got ${chunkHeader.majorType}`)
+        }
+        if (chunkHeader.additionalInfo === 31) {
+          throw new Error('Indefinite text string chunks must be definite-length (RFC 8949 Section 3.2.3)')
+        }
+
+        // Parse chunk
         let chunkResult
         try {
           chunkResult = parseTextString(buffer, currentOffset, options)