feat(error): populate decode/encode error offsets from cursor positions

Audit-driven sweep through every call site that passed `0` as the offset
to a decode or encode error producer. Foundation in Devolutions#1266 documented `0`
as the "offset unknown" sentinel; this commit replaces it with a real
cursor position wherever one is in scope.

Coverage: 408 call sites total reviewed via brace-depth enclosing-fn analysis.

- 333 macro-form sites in `invalid_field_err!`, `not_enough_bytes_err!`,
  `unexpected_message_type_err!`, `unsupported_version_err!`,
  `unsupported_value_err!`, `cast_length!`, `cast_int!` upgraded from
  `at: 0` to `in: <cursor>`. The cursor's name comes from the immediate
  enclosing function signature (most are `src`, several `dst`, a few
  `cursor`, and the BER routines use `stream`).
- 9 direct-function-call sites (`invalid_field_err(...)`,
  `unexpected_message_type_err(...)`, `unsupported_value_err(...)`,
  `invalid_field_err_with_source(...)`) updated to pass `src.pos()` or
  `dst.pos()` from the enclosing decode/encode method.
- The `per_field_err!` helper macro in `ironrdp-pdu/src/mcs.rs` now
  takes `in: $cursor` and captures the cursor's position into the
  returned closure, so PER read/write failures carry the byte offset
  of the field that failed. All 26 callers updated.
- The `validate_dimensions!` and `check_masks_alignment!` local macros
  in displaycontrol/pointer now take an explicit `$offset:expr`. Their
  call sites pass `0` from constructors and `<cursor>.pos()` from
  decode/encode paths.
- 57 sites remain at `at: 0`. These are in `try_from` impls on enum
  discriminants, `new`/`with_*` constructors, accessors on already
  decoded structs, dimension/size validators, and one `find_size`
  helper that takes `&[u8]` and reports byte-0 errors. None of them
  have a cursor in scope, so no offset is knowable.

Foundation-crate macros were tightened to enforce the discipline at
compile time:

- `ensure_size!`'s inner offset is now `$buf.pos()` instead of `0`,
  enabled by refactoring `encode_string` from `dst: &mut [u8]` to
  `dst: &mut WriteCursor<'_>` so the cursor invariant holds for every
  caller. The two slice-form callers (`cliprdr/format_data/file_list.rs`
  and `rdp/capability_sets/input.rs`) were updated to pass the cursor
  directly and use `write_padding!` for fixed-width fields.
- `cast_length!` and `cast_int!` no longer accept a bare form. Callers
  must pick `in: <cursor>` to extract the position or `at: <offset>`
  to pass one explicitly.
- Doc comments for `cast_length!` and `cast_int!` updated to show the
  new in:/at: forms.

Test snapshots that print full `Error` debug output were regenerated
through `UPDATE_EXPECT=1`; the new fixtures now record the real byte
offsets where decode failures originate. Examples: pcb null_size at
offset 4 (after the u32 cbSize read), pcb_v2_string_too_big at 18,
x224 nego_request_unexpected_rdp_msg_type at 35.

The `encode_string` API change is the only user-visible API change in
this commit beyond Devolutions#1266's new error variant fields.

Refs Devolutions#1266, Devolutions#1120.

Author: lamco-office

crates/ironrdp-ainput/src/lib.rs

@@ -160,7 +160,7 @@ impl<'de> Decode<'de> for ServerPdu {
         ensure_fixed_part_size!(in: src);
 
         let pdu_type = ServerPduType::from_u16(src.read_u16())
-            .ok_or_else(|| invalid_field_err!("pduType", "invalid pdu type", at: 0))?;
+            .ok_or_else(|| invalid_field_err!("pduType", "invalid pdu type", in: src))?;
 
         let server_pdu = match pdu_type {
             ServerPduType::Version => ServerPdu::Version(VersionPdu::decode(src)?),
@@ -257,7 +257,7 @@ impl<'de> Decode<'de> for ClientPdu {
         ensure_fixed_part_size!(in: src);
 
         let pdu_type = ClientPduType::from_u16(src.read_u16())
-            .ok_or_else(|| invalid_field_err!("pduType", "invalid pdu type", at: 0))?;
+            .ok_or_else(|| invalid_field_err!("pduType", "invalid pdu type", in: src))?;
 
         let client_pdu = match pdu_type {
             ClientPduType::Mouse => ClientPdu::Mouse(MousePdu::decode(src)?),

crates/ironrdp-cliprdr-format/src/bitmap.rs

@@ -243,19 +243,19 @@ impl BitmapInfoHeader {
 
         let width = src.read_i32();
         check_invariant(width != i32::MIN && width.abs() <= 10_000)
-            .ok_or_else(|| invalid_field_err!("biWidth", "width is too big", at: 0))?;
+            .ok_or_else(|| invalid_field_err!("biWidth", "width is too big", in: src))?;
 
         let height = src.read_i32();
         check_invariant(height != i32::MIN && height.abs() <= 10_000)
-            .ok_or_else(|| invalid_field_err!("biHeight", "height is too big", at: 0))?;
+            .ok_or_else(|| invalid_field_err!("biHeight", "height is too big", in: src))?;
 
         let planes = src.read_u16();
         if planes != 1 {
-            return Err(invalid_field_err!("biPlanes", "invalid planes count", at: 0));
+            return Err(invalid_field_err!("biPlanes", "invalid planes count", in: src));
         }
 
         let bit_count = src.read_u16();
-        check_invariant(bit_count <= 32).ok_or_else(|| invalid_field_err!("biBitCount", "invalid bit count", at: 0))?;
+        check_invariant(bit_count <= 32).ok_or_else(|| invalid_field_err!("biBitCount", "invalid bit count", in: src))?;
 
         let compression = BitmapCompression(src.read_u32());
         let size_image = src.read_u32();
@@ -301,7 +301,7 @@ impl BitmapInfoHeader {
 
 impl Encode for BitmapInfoHeader {
     fn encode(&self, dst: &mut WriteCursor<'_>) -> EncodeResult<()> {
-        let size = cast_int!("biSize", Self::FIXED_PART_SIZE)?;
+        let size = cast_int!("biSize", Self::FIXED_PART_SIZE, in: dst)?;
         self.encode_with_size(dst, size)
     }
 
@@ -317,10 +317,10 @@ impl Encode for BitmapInfoHeader {
 impl<'a> Decode<'a> for BitmapInfoHeader {
     fn decode(src: &mut ReadCursor<'a>) -> DecodeResult<Self> {
         let (header, size) = Self::decode_with_size(src)?;
-        let size: usize = cast_int!("biSize", size)?;
+        let size: usize = cast_int!("biSize", size, in: src)?;
 
         if size != Self::FIXED_PART_SIZE {
-            return Err(invalid_field_err!("biSize", "invalid V1 bitmap info header size", at: 0));
+            return Err(invalid_field_err!("biSize", "invalid V1 bitmap info header size", in: src));
         }
 
         Ok(header)
@@ -369,7 +369,7 @@ impl Encode for BitmapV5Header {
     fn encode(&self, dst: &mut WriteCursor<'_>) -> EncodeResult<()> {
         ensure_fixed_part_size!(in: dst);
 
-        let size = cast_int!("biSize", Self::FIXED_PART_SIZE)?;
+        let size = cast_int!("biSize", Self::FIXED_PART_SIZE, in: dst)?;
         self.v1.encode_with_size(dst, size)?;
 
         dst.write_u32(self.red_mask);
@@ -403,10 +403,10 @@ impl<'a> Decode<'a> for BitmapV5Header {
         ensure_fixed_part_size!(in: src);
 
         let (header_v1, size) = BitmapInfoHeader::decode_with_size(src)?;
-        let size: usize = cast_int!("biSize", size)?;
+        let size: usize = cast_int!("biSize", size, in: src)?;
 
         if size != Self::FIXED_PART_SIZE {
-            return Err(invalid_field_err!("biSize", "invalid V5 bitmap info header size", at: 0));
+            return Err(invalid_field_err!("biSize", "invalid V5 bitmap info header size", in: src));
         }
 
         let red_mask = src.read_u32();

crates/ironrdp-cliprdr/src/pdu/capabilities.rs

@@ -60,12 +60,12 @@ impl Capabilities {
 
 impl Encode for Capabilities {
     fn encode(&self, dst: &mut WriteCursor<'_>) -> EncodeResult<()> {
-        let header = PartialHeader::new(cast_int!("dataLen", self.inner_size())?);
+        let header = PartialHeader::new(cast_int!("dataLen", self.inner_size(), in: dst)?);
         header.encode(dst)?;
 
         ensure_size!(in: dst, size: self.inner_size());
 
-        dst.write_u16(cast_length!(Self::NAME, "cCapabilitiesSets", self.capabilities.len())?);
+        dst.write_u16(cast_length!(Self::NAME, "cCapabilitiesSets", self.capabilities.len(), in: dst)?);
         write_padding!(dst, 2);
 
         for capability in &self.capabilities {
@@ -141,7 +141,7 @@ impl Encode for CapabilitySet {
 
         ensure_size!(in: dst, size: length);
         dst.write_u16(Self::CAPSTYPE_GENERAL);
-        dst.write_u16(cast_int!("lengthCapability", length)?);
+        dst.write_u16(cast_int!("lengthCapability", length, in: dst)?);
         caps.encode(dst)
     }
 
@@ -171,7 +171,7 @@ impl<'de> Decode<'de> for CapabilitySet {
                 Ok(Self::General(general))
             }
             _ => Err(invalid_field_err!( "capabilitySetType",
-                "invalid clipboard capability set type", at: 0)),
+                "invalid clipboard capability set type", in: src)),
         }
     }
 }

crates/ironrdp-cliprdr/src/pdu/client_temporary_directory.rs

@@ -58,7 +58,7 @@ impl ClientTemporaryDirectory<'_> {
 
 impl Encode for ClientTemporaryDirectory<'_> {
     fn encode(&self, dst: &mut WriteCursor<'_>) -> EncodeResult<()> {
-        let header = PartialHeader::new(cast_int!("dataLen", Self::INNER_SIZE)?);
+        let header = PartialHeader::new(cast_int!("dataLen", Self::INNER_SIZE, in: dst)?);
         header.encode(dst)?;
 
         ensure_size!(in: dst, size: Self::INNER_SIZE);

crates/ironrdp-cliprdr/src/pdu/file_contents.rs

@@ -150,7 +150,7 @@ impl Encode for FileContentsResponse<'_> {
             ClipboardPduFlags::RESPONSE_OK
         };
 
-        let header = PartialHeader::new_with_flags(cast_int!("dataLen", self.inner_size())?, flags);
+        let header = PartialHeader::new_with_flags(cast_int!("dataLen", self.inner_size(), in: dst)?, flags);
         header.encode(dst)?;
 
         ensure_size!(in: dst, size: self.inner_size());
@@ -179,7 +179,7 @@ impl<'de> Decode<'de> for FileContentsResponse<'de> {
         ensure_size!(in: src, size: header.data_length());
 
         if header.data_length() < Self::FIXED_PART_SIZE {
-            return Err(invalid_field_err!("requestedFileContentsData", "invalid data size", at: 0));
+            return Err(invalid_field_err!("requestedFileContentsData", "invalid data size", in: src));
         };
 
         let data_size = header.data_length() - Self::FIXED_PART_SIZE;
@@ -230,7 +230,7 @@ impl Encode for FileContentsRequest {
     /// Callers that build these PDUs are responsible for setting fields correctly;
     /// use [`FileContentsFlags::validate`] to check flag consistency.
     fn encode(&self, dst: &mut WriteCursor<'_>) -> EncodeResult<()> {
-        let header = PartialHeader::new(cast_int!("dataLen", self.inner_size())?);
+        let header = PartialHeader::new(cast_int!("dataLen", self.inner_size(), in: dst)?);
         header.encode(dst)?;
 
         ensure_size!(in: dst, size: self.inner_size());
@@ -285,21 +285,21 @@ impl<'de> Decode<'de> for FileContentsRequest {
         // [MS-RDPECLIP] 2.2.5.3 - Validate lindex is non-negative
         if index < 0 {
             return Err(invalid_field_err!( "lindex",
-                "file index must be non-negative per MS-RDPECLIP 2.2.5.3", at: 0));
+                "file index must be non-negative per MS-RDPECLIP 2.2.5.3", in: src));
         }
 
         // [MS-RDPECLIP] 2.2.5.3 - Validate flags are spec-compliant
-        flags.validate().map_err(|e| invalid_field_err!("dwFlags", e, at: 0))?;
+        flags.validate().map_err(|e| invalid_field_err!("dwFlags", e, in: src))?;
 
         // [MS-RDPECLIP] 2.2.5.3 - Validate SIZE request constraints
         if flags.contains(FileContentsFlags::SIZE) {
             if requested_size != 8 {
                 return Err(invalid_field_err!( "cbRequested",
-                    "SIZE request must have cbRequested=8 per MS-RDPECLIP 2.2.5.3", at: 0));
+                    "SIZE request must have cbRequested=8 per MS-RDPECLIP 2.2.5.3", in: src));
             }
             if position != 0 {
                 return Err(invalid_field_err!( "position",
-                    "SIZE request must have position=0 per MS-RDPECLIP 2.2.5.3", at: 0));
+                    "SIZE request must have position=0 per MS-RDPECLIP 2.2.5.3", in: src));
             }
         }
 

crates/ironrdp-cliprdr/src/pdu/format_data/file_list.rs

@@ -185,11 +185,10 @@ impl Encode for FileDescriptor {
         let encoded_len = wire_name.encode_utf16().count() * 2 + 2;
         if NAME_LENGTH < encoded_len {
             return Err(ironrdp_core::invalid_field_err!( "cFileName",
-                "encoded wire name exceeds NAME_LENGTH (520 bytes)", at: 0));
+                "encoded wire name exceeds NAME_LENGTH (520 bytes)", in: dst));
         }
 
-        let written = encode_string(dst.remaining_mut(), &wire_name, CharacterSet::Unicode, true)?;
-        dst.advance(written);
+        let written = encode_string(dst, &wire_name, CharacterSet::Unicode, true)?;
 
         // Pad with zeroes, overriding any previously written data
         write_padding!(dst, NAME_LENGTH - written);
@@ -271,7 +270,7 @@ impl Encode for PackedFileList {
     fn encode(&self, dst: &mut WriteCursor<'_>) -> EncodeResult<()> {
         ensure_fixed_part_size!(in: dst);
 
-        dst.write_u32(cast_length!(Self::NAME, "cItems", self.files.len())?);
+        dst.write_u32(cast_length!(Self::NAME, "cItems", self.files.len(), in: dst)?);
 
         for file in &self.files {
             file.encode(dst)?;
@@ -292,11 +291,11 @@ impl Encode for PackedFileList {
 impl<'de> Decode<'de> for PackedFileList {
     fn decode(src: &mut ReadCursor<'de>) -> DecodeResult<Self> {
         ensure_fixed_part_size!(in: src);
-        let file_count: usize = cast_length!(Self::NAME, "cItems", src.read_u32())?;
+        let file_count: usize = cast_length!(Self::NAME, "cItems", src.read_u32(), in: src)?;
 
         if MAX_FILE_COUNT < file_count {
             return Err(ironrdp_core::invalid_field_err!( "cItems",
-                "file count exceeds maximum of 100000", at: 0));
+                "file count exceeds maximum of 100000", in: src));
         }
 
         // Cap pre-allocation against remaining bytes to prevent OOM from

crates/ironrdp-cliprdr/src/pdu/format_data/mod.rs

@@ -177,7 +177,7 @@ impl Encode for FormatDataResponse<'_> {
             ClipboardPduFlags::RESPONSE_OK
         };
 
-        let header = PartialHeader::new_with_flags(cast_int!("dataLen", self.data.len())?, flags);
+        let header = PartialHeader::new_with_flags(cast_int!("dataLen", self.data.len(), in: dst)?, flags);
         header.encode(dst)?;
 
         ensure_size!(in: dst, size: self.data.len());
@@ -228,7 +228,7 @@ impl FormatDataRequest {
 
 impl Encode for FormatDataRequest {
     fn encode(&self, dst: &mut WriteCursor<'_>) -> EncodeResult<()> {
-        let header = PartialHeader::new(cast_int!("dataLen", Self::FIXED_PART_SIZE)?);
+        let header = PartialHeader::new(cast_int!("dataLen", Self::FIXED_PART_SIZE, in: dst)?);
         header.encode(dst)?;
 
         ensure_fixed_part_size!(in: dst);

crates/ironrdp-cliprdr/src/pdu/format_list.rs

@@ -391,7 +391,7 @@ impl Encode for FormatList<'_> {
             ClipboardPduFlags::empty()
         };
 
-        let header = PartialHeader::new_with_flags(cast_int!("dataLen", self.encoded_formats.len())?, header_flags);
+        let header = PartialHeader::new_with_flags(cast_int!("dataLen", self.encoded_formats.len(), in: dst)?, header_flags);
         header.encode(dst)?;
 
         ensure_size!(in: dst, size: self.encoded_formats.len());
@@ -449,7 +449,7 @@ impl<'de> Decode<'de> for FormatListResponse {
         match header.message_flags {
             ClipboardPduFlags::RESPONSE_OK => Ok(FormatListResponse::Ok),
             ClipboardPduFlags::RESPONSE_FAIL => Ok(FormatListResponse::Fail),
-            _ => Err(invalid_field_err!("msgFlags", "invalid format list message flags", at: 0)),
+            _ => Err(invalid_field_err!("msgFlags", "invalid format list message flags", in: src)),
         }
     }
 }

crates/ironrdp-cliprdr/src/pdu/lock.rs

@@ -18,7 +18,7 @@ impl LockDataId {
 
 impl Encode for LockDataId {
     fn encode(&self, dst: &mut WriteCursor<'_>) -> EncodeResult<()> {
-        let header = PartialHeader::new(cast_int!("dataLen", Self::FIXED_PART_SIZE)?);
+        let header = PartialHeader::new(cast_int!("dataLen", Self::FIXED_PART_SIZE, in: dst)?);
         header.encode(dst)?;
 
         ensure_fixed_part_size!(in: dst);

crates/ironrdp-cliprdr/src/pdu/mod.rs

@@ -243,7 +243,7 @@ impl<'de> Decode<'de> for ClipboardPdu<'de> {
             MSG_TYPE_FILE_CONTENTS_RESPONSE => ClipboardPdu::FileContentsResponse(FileContentsResponse::decode(src)?),
             MSG_TYPE_LOCK_CLIPDATA => ClipboardPdu::LockData(LockDataId::decode(src)?),
             MSG_TYPE_UNLOCK_CLIPDATA => ClipboardPdu::UnlockData(LockDataId::decode(src)?),
-            _ => return Err(invalid_field_err!("msgType", "unknown clipboard PDU type", at: 0)),
+            _ => return Err(invalid_field_err!("msgType", "unknown clipboard PDU type", in: src)),
         };
 
         Ok(pdu)