feat(error): record byte offset on decode and encode error variants

Reshapes the position-aware error approach per Devolutions#1266 review feedback. Moves
position metadata out of the foundational `ironrdp-error` crate and onto the
decode and encode `*ErrorKind` enum variants where it actually applies.

Previously this PR added an optional `ErrorPosition { offset, field }` slot
to `Error<Kind>`'s `ErrorMeta`, paying a metadata slot on every error in the
workspace to serve only the decode and encode surfaces. The new shape places
a non-optional `offset: usize` on each variant that can know one:

- `DecodeErrorKind::{NotEnoughBytes, InvalidField, UnexpectedMessageType,
  UnsupportedVersion, UnsupportedValue}` gain `offset: usize`
- `EncodeErrorKind::*` mirrors the same shape for encode-side errors
- `*::Other` is unchanged; producers of `Other` typically lack stream-cursor
  access and the variant exists precisely for those cases

The `in_field` dotted-path use case is dropped from this PR per the same
review: `Error::set_context` already covers it. No parallel structured
field-tracking channel is introduced.

Trait and macro changes:

- `NotEnoughBytesErr`, `InvalidFieldErr`, `UnexpectedMessageTypeErr`,
  `UnsupportedVersionErr`, `UnsupportedValueErr` all take an additional
  `offset: usize` parameter
- The five corresponding `*_err!` macros gain `at:` and `in:` prefixes for
  explicit offset and cursor-extracted offset respectively
- `OtherErr` and `other_err!` are unchanged
- `cast_length!` and `cast_int!` macros pass `0` to the new offset slot
  (the macros do not have stream-cursor access)

Call-site migration:

- All 84 affected files updated to pass an explicit offset
- Most existing call sites pass `0` (the documented "offset unknown" sentinel)
  since the cursor is not always in lexical scope at the call site
- Cursor-aware sites can opt in via the new `in: cursor` macro syntax
- A workspace sweep upgrading `at: 0` to `in: cursor` where applicable is a
  follow-up

Display output includes the offset when known:
`invalid \`field\` at offset 47: reason`

Refs Devolutions#1257, Devolutions#1120. Supersedes the cross-cutting `ErrorPosition` approach
that was on this branch before today's review.

Author: Greg Lamberson

crates/ironrdp-ainput/src/lib.rs

@@ -159,8 +159,8 @@ impl<'de> Decode<'de> for ServerPdu {
     fn decode(src: &mut ReadCursor<'de>) -> DecodeResult<Self> {
         ensure_fixed_part_size!(in: src);
 
-        let pdu_type =
-            ServerPduType::from_u16(src.read_u16()).ok_or_else(|| invalid_field_err!("pduType", "invalid pdu type"))?;
+        let pdu_type = ServerPduType::from_u16(src.read_u16())
+            .ok_or_else(|| invalid_field_err!(at: 0, "pduType", "invalid pdu type"))?;
 
         let server_pdu = match pdu_type {
             ServerPduType::Version => ServerPdu::Version(VersionPdu::decode(src)?),
@@ -256,8 +256,8 @@ impl<'de> Decode<'de> for ClientPdu {
     fn decode(src: &mut ReadCursor<'de>) -> DecodeResult<Self> {
         ensure_fixed_part_size!(in: src);
 
-        let pdu_type =
-            ClientPduType::from_u16(src.read_u16()).ok_or_else(|| invalid_field_err!("pduType", "invalid pdu type"))?;
+        let pdu_type = ClientPduType::from_u16(src.read_u16())
+            .ok_or_else(|| invalid_field_err!(at: 0, "pduType", "invalid pdu type"))?;
 
         let client_pdu = match pdu_type {
             ClientPduType::Mouse => ClientPdu::Mouse(MousePdu::decode(src)?),

crates/ironrdp-cliprdr-format/src/bitmap.rs

@@ -243,19 +243,19 @@ impl BitmapInfoHeader {
 
         let width = src.read_i32();
         check_invariant(width != i32::MIN && width.abs() <= 10_000)
-            .ok_or_else(|| invalid_field_err!("biWidth", "width is too big"))?;
+            .ok_or_else(|| invalid_field_err!(at: 0, "biWidth", "width is too big"))?;
 
         let height = src.read_i32();
         check_invariant(height != i32::MIN && height.abs() <= 10_000)
-            .ok_or_else(|| invalid_field_err!("biHeight", "height is too big"))?;
+            .ok_or_else(|| invalid_field_err!(at: 0, "biHeight", "height is too big"))?;
 
         let planes = src.read_u16();
         if planes != 1 {
-            return Err(invalid_field_err!("biPlanes", "invalid planes count"));
+            return Err(invalid_field_err!(at: 0, "biPlanes", "invalid planes count"));
         }
 
         let bit_count = src.read_u16();
-        check_invariant(bit_count <= 32).ok_or_else(|| invalid_field_err!("biBitCount", "invalid bit count"))?;
+        check_invariant(bit_count <= 32).ok_or_else(|| invalid_field_err!(at: 0, "biBitCount", "invalid bit count"))?;
 
         let compression = BitmapCompression(src.read_u32());
         let size_image = src.read_u32();
@@ -320,7 +320,7 @@ impl<'a> Decode<'a> for BitmapInfoHeader {
         let size: usize = cast_int!("biSize", size)?;
 
         if size != Self::FIXED_PART_SIZE {
-            return Err(invalid_field_err!("biSize", "invalid V1 bitmap info header size"));
+            return Err(invalid_field_err!(at: 0, "biSize", "invalid V1 bitmap info header size"));
         }
 
         Ok(header)
@@ -406,7 +406,7 @@ impl<'a> Decode<'a> for BitmapV5Header {
         let size: usize = cast_int!("biSize", size)?;
 
         if size != Self::FIXED_PART_SIZE {
-            return Err(invalid_field_err!("biSize", "invalid V5 bitmap info header size"));
+            return Err(invalid_field_err!(at: 0, "biSize", "invalid V5 bitmap info header size"));
         }
 
         let red_mask = src.read_u32();

crates/ironrdp-cliprdr/src/pdu/capabilities.rs

@@ -170,8 +170,7 @@ impl<'de> Decode<'de> for CapabilitySet {
                 let general = GeneralCapabilitySet::decode(src)?;
                 Ok(Self::General(general))
             }
-            _ => Err(invalid_field_err!(
-                "capabilitySetType",
+            _ => Err(invalid_field_err!(at: 0, "capabilitySetType",
                 "invalid clipboard capability set type"
             )),
         }

crates/ironrdp-cliprdr/src/pdu/client_temporary_directory.rs

@@ -52,7 +52,7 @@ impl ClientTemporaryDirectory<'_> {
         let mut cursor = ReadCursor::new(&self.path_buffer);
 
         read_string_from_cursor(&mut cursor, CharacterSet::Unicode, true)
-            .map_err(|_| invalid_field_err!("wszTempDir", "failed to decode temp dir path"))
+            .map_err(|_| invalid_field_err!(at: 0, "wszTempDir", "failed to decode temp dir path"))
     }
 }
 

crates/ironrdp-cliprdr/src/pdu/file_contents.rs

@@ -129,18 +129,16 @@ impl<'a> FileContentsResponse<'a> {
     /// Should not panic - the try_into conversion is guaranteed to succeed after length validation.
     pub fn data_as_size(&self) -> DecodeResult<u64> {
         if self.data.len() != 8 {
-            return Err(invalid_field_err!(
-                "requestedFileContentsData",
+            return Err(invalid_field_err!(at: 0, "requestedFileContentsData",
                 "SIZE response must be exactly 8 bytes per MS-RDPECLIP 2.2.5.4"
             ));
         }
 
         // Per length check above, this conversion is infallible.
-        let chunk: [u8; 8] = self
-            .data
-            .as_ref()
-            .try_into()
-            .map_err(|_| invalid_field_err!("requestedFileContentsData", "SIZE response data is not 8 bytes"))?;
+        let chunk: [u8; 8] =
+            self.data.as_ref().try_into().map_err(
+                |_| invalid_field_err!(at: 0, "requestedFileContentsData", "SIZE response data is not 8 bytes"),
+            )?;
         Ok(u64::from_le_bytes(chunk))
     }
 }
@@ -182,7 +180,7 @@ impl<'de> Decode<'de> for FileContentsResponse<'de> {
         ensure_size!(in: src, size: header.data_length());
 
         if header.data_length() < Self::FIXED_PART_SIZE {
-            return Err(invalid_field_err!("requestedFileContentsData", "invalid data size"));
+            return Err(invalid_field_err!(at: 0, "requestedFileContentsData", "invalid data size"));
         };
 
         let data_size = header.data_length() - Self::FIXED_PART_SIZE;
@@ -287,26 +285,23 @@ impl<'de> Decode<'de> for FileContentsRequest {
 
         // [MS-RDPECLIP] 2.2.5.3 - Validate lindex is non-negative
         if index < 0 {
-            return Err(invalid_field_err!(
-                "lindex",
+            return Err(invalid_field_err!(at: 0, "lindex",
                 "file index must be non-negative per MS-RDPECLIP 2.2.5.3"
             ));
         }
 
         // [MS-RDPECLIP] 2.2.5.3 - Validate flags are spec-compliant
-        flags.validate().map_err(|e| invalid_field_err!("dwFlags", e))?;
+        flags.validate().map_err(|e| invalid_field_err!(at: 0, "dwFlags", e))?;
 
         // [MS-RDPECLIP] 2.2.5.3 - Validate SIZE request constraints
         if flags.contains(FileContentsFlags::SIZE) {
             if requested_size != 8 {
-                return Err(invalid_field_err!(
-                    "cbRequested",
+                return Err(invalid_field_err!(at: 0, "cbRequested",
                     "SIZE request must have cbRequested=8 per MS-RDPECLIP 2.2.5.3"
                 ));
             }
             if position != 0 {
-                return Err(invalid_field_err!(
-                    "position",
+                return Err(invalid_field_err!(at: 0, "position",
                     "SIZE request must have position=0 per MS-RDPECLIP 2.2.5.3"
                 ));
             }

crates/ironrdp-cliprdr/src/pdu/format_data/file_list.rs

@@ -184,8 +184,7 @@ impl Encode for FileDescriptor {
         // UTF-16 encoding: each code unit is 2 bytes, plus 2 bytes for null terminator.
         let encoded_len = wire_name.encode_utf16().count() * 2 + 2;
         if NAME_LENGTH < encoded_len {
-            return Err(ironrdp_core::invalid_field_err!(
-                "cFileName",
+            return Err(ironrdp_core::invalid_field_err!(at: 0, "cFileName",
                 "encoded wire name exceeds NAME_LENGTH (520 bytes)"
             ));
         }
@@ -297,8 +296,7 @@ impl<'de> Decode<'de> for PackedFileList {
         let file_count: usize = cast_length!(Self::NAME, "cItems", src.read_u32())?;
 
         if MAX_FILE_COUNT < file_count {
-            return Err(ironrdp_core::invalid_field_err!(
-                "cItems",
+            return Err(ironrdp_core::invalid_field_err!(at: 0, "cItems",
                 "file count exceeds maximum of 100000"
             ));
         }

crates/ironrdp-cliprdr/src/pdu/format_list.rs

@@ -449,7 +449,7 @@ impl<'de> Decode<'de> for FormatListResponse {
         match header.message_flags {
             ClipboardPduFlags::RESPONSE_OK => Ok(FormatListResponse::Ok),
             ClipboardPduFlags::RESPONSE_FAIL => Ok(FormatListResponse::Fail),
-            _ => Err(invalid_field_err!("msgFlags", "invalid format list message flags")),
+            _ => Err(invalid_field_err!(at: 0, "msgFlags", "invalid format list message flags")),
         }
     }
 }

crates/ironrdp-cliprdr/src/pdu/mod.rs

@@ -243,7 +243,7 @@ impl<'de> Decode<'de> for ClipboardPdu<'de> {
             MSG_TYPE_FILE_CONTENTS_RESPONSE => ClipboardPdu::FileContentsResponse(FileContentsResponse::decode(src)?),
             MSG_TYPE_LOCK_CLIPDATA => ClipboardPdu::LockData(LockDataId::decode(src)?),
             MSG_TYPE_UNLOCK_CLIPDATA => ClipboardPdu::UnlockData(LockDataId::decode(src)?),
-            _ => return Err(invalid_field_err!("msgType", "unknown clipboard PDU type")),
+            _ => return Err(invalid_field_err!(at: 0, "msgType", "unknown clipboard PDU type")),
         };
 
         Ok(pdu)

crates/ironrdp-core/src/decode.rs

@@ -15,6 +15,16 @@ pub type DecodeResult<T> = Result<T, DecodeError>;
 pub type DecodeError = ironrdp_error::Error<DecodeErrorKind>;
 
 /// Enum representing different kinds of decode errors.
+///
+/// Variants that arise while reading the wire stream carry a non-optional
+/// `offset` field set to the cursor position at which the error was detected.
+/// This makes fuzz-crash triage tractable without classifier traits or
+/// position-aware metadata on the foundational error type.
+///
+/// Callers that produce these variants from contexts without a stream cursor
+/// pass `0`, which is documented in the [`NotEnoughBytesErr`], [`InvalidFieldErr`],
+/// [`UnexpectedMessageTypeErr`], [`UnsupportedVersionErr`], and [`UnsupportedValueErr`]
+/// traits as "offset unknown."
 #[non_exhaustive]
 #[derive(Clone, Debug)]
 pub enum DecodeErrorKind {
@@ -24,23 +34,31 @@ pub enum DecodeErrorKind {
         received: usize,
         /// Number of bytes expected.
         expected: usize,
+        /// Byte offset in the input stream where the shortage was detected.
+        offset: usize,
     },
     /// Error when a field is invalid.
     InvalidField {
         /// Name of the invalid field.
         field: &'static str,
         /// Reason for invalidity.
         reason: &'static str,
+        /// Byte offset in the input stream where the invalid field was decoded.
+        offset: usize,
     },
     /// Error when an unexpected message type is encountered.
     UnexpectedMessageType {
         /// The unexpected message type received.
         got: u8,
+        /// Byte offset in the input stream where the unexpected type was read.
+        offset: usize,
     },
     /// Error when an unsupported version is encountered.
     UnsupportedVersion {
         /// The unsupported version received.
         got: u8,
+        /// Byte offset in the input stream where the unsupported version was read.
+        offset: usize,
     },
     /// Error when an unsupported value is encountered (with allocation feature).
     #[cfg(feature = "alloc")]
@@ -49,14 +67,22 @@ pub enum DecodeErrorKind {
         name: &'static str,
         /// The unsupported value.
         value: String,
+        /// Byte offset in the input stream where the unsupported value was read.
+        offset: usize,
     },
     /// Error when an unsupported value is encountered (without allocation feature).
     #[cfg(not(feature = "alloc"))]
     UnsupportedValue {
         /// Name of the unsupported value.
         name: &'static str,
+        /// Byte offset in the input stream where the unsupported value was read.
+        offset: usize,
     },
     /// Generic error for other cases.
+    ///
+    /// Does not carry an offset: producers of this variant typically do not
+    /// have stream-cursor access, and the variant exists precisely for those
+    /// cases.
     Other {
         /// Description of the error.
         description: &'static str,
@@ -69,26 +95,30 @@ impl core::error::Error for DecodeErrorKind {}
 impl fmt::Display for DecodeErrorKind {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         match self {
-            Self::NotEnoughBytes { received, expected } => write!(
+            Self::NotEnoughBytes {
+                received,
+                expected,
+                offset,
+            } => write!(
                 f,
-                "not enough bytes provided to decode: received {received} bytes, expected {expected} bytes"
+                "not enough bytes provided to decode at offset {offset}: received {received} bytes, expected {expected} bytes"
             ),
-            Self::InvalidField { field, reason } => {
-                write!(f, "invalid `{field}`: {reason}")
+            Self::InvalidField { field, reason, offset } => {
+                write!(f, "invalid `{field}` at offset {offset}: {reason}")
             }
-            Self::UnexpectedMessageType { got } => {
-                write!(f, "invalid message type ({got})")
+            Self::UnexpectedMessageType { got, offset } => {
+                write!(f, "invalid message type ({got}) at offset {offset}")
             }
-            Self::UnsupportedVersion { got } => {
-                write!(f, "unsupported version ({got})")
+            Self::UnsupportedVersion { got, offset } => {
+                write!(f, "unsupported version ({got}) at offset {offset}")
             }
             #[cfg(feature = "alloc")]
-            Self::UnsupportedValue { name, value } => {
-                write!(f, "unsupported {name} ({value})")
+            Self::UnsupportedValue { name, value, offset } => {
+                write!(f, "unsupported {name} ({value}) at offset {offset}")
             }
             #[cfg(not(feature = "alloc"))]
-            Self::UnsupportedValue { name } => {
-                write!(f, "unsupported {name}")
+            Self::UnsupportedValue { name, offset } => {
+                write!(f, "unsupported {name} at offset {offset}")
             }
             Self::Other { description } => {
                 write!(f, "other ({description})")
@@ -98,37 +128,44 @@ impl fmt::Display for DecodeErrorKind {
 }
 
 impl NotEnoughBytesErr for DecodeError {
-    fn not_enough_bytes(context: &'static str, received: usize, expected: usize) -> Self {
-        Self::new(context, DecodeErrorKind::NotEnoughBytes { received, expected })
+    fn not_enough_bytes(context: &'static str, received: usize, expected: usize, offset: usize) -> Self {
+        Self::new(
+            context,
+            DecodeErrorKind::NotEnoughBytes {
+                received,
+                expected,
+                offset,
+            },
+        )
     }
 }
 
 impl InvalidFieldErr for DecodeError {
-    fn invalid_field(context: &'static str, field: &'static str, reason: &'static str) -> Self {
-        Self::new(context, DecodeErrorKind::InvalidField { field, reason })
+    fn invalid_field(context: &'static str, field: &'static str, reason: &'static str, offset: usize) -> Self {
+        Self::new(context, DecodeErrorKind::InvalidField { field, reason, offset })
     }
 }
 
 impl UnexpectedMessageTypeErr for DecodeError {
-    fn unexpected_message_type(context: &'static str, got: u8) -> Self {
-        Self::new(context, DecodeErrorKind::UnexpectedMessageType { got })
+    fn unexpected_message_type(context: &'static str, got: u8, offset: usize) -> Self {
+        Self::new(context, DecodeErrorKind::UnexpectedMessageType { got, offset })
     }
 }
 
 impl UnsupportedVersionErr for DecodeError {
-    fn unsupported_version(context: &'static str, got: u8) -> Self {
-        Self::new(context, DecodeErrorKind::UnsupportedVersion { got })
+    fn unsupported_version(context: &'static str, got: u8, offset: usize) -> Self {
+        Self::new(context, DecodeErrorKind::UnsupportedVersion { got, offset })
     }
 }
 
 impl UnsupportedValueErr for DecodeError {
     #[cfg(feature = "alloc")]
-    fn unsupported_value(context: &'static str, name: &'static str, value: String) -> Self {
-        Self::new(context, DecodeErrorKind::UnsupportedValue { name, value })
+    fn unsupported_value(context: &'static str, name: &'static str, value: String, offset: usize) -> Self {
+        Self::new(context, DecodeErrorKind::UnsupportedValue { name, value, offset })
     }
     #[cfg(not(feature = "alloc"))]
-    fn unsupported_value(context: &'static str, name: &'static str) -> Self {
-        Self::new(context, DecodeErrorKind::UnsupportedValue { name })
+    fn unsupported_value(context: &'static str, name: &'static str, offset: usize) -> Self {
+        Self::new(context, DecodeErrorKind::UnsupportedValue { name, offset })
     }
 }