Fix pointer-to-pointer infinite recursion

Replace recursive decodeKey implementation with iterative approach and add
validation to prevent pointer-to-pointer references which are invalid per
MaxMind DB specification.

Author: oschwald

CHANGELOG.md

@@ -5,6 +5,8 @@
 - Added `Offset()` method to `Decoder` to get the current database offset. This
   enables custom unmarshalers to implement caching for improved performance when
   loading databases with duplicate data structures.
+- Fixed infinite recursion in pointer-to-pointer data structures, which are
+  invalid per the MaxMind DB specification.
 
 ## 2.0.0-beta.4 - 2025-07-05
 

internal/decoder/data_decoder.go

@@ -380,14 +380,31 @@ func (d *DataDecoder) decodeKey(offset uint) ([]byte, uint, error) {
 	if err != nil {
 		return nil, 0, err
 	}
+
+	// Follow pointer if present (but only once, per spec)
+	nextOffset := dataOffset + size // default return offset
 	if kindNum == KindPointer {
-		pointer, ptrOffset, err := d.decodePointer(size, dataOffset)
+		pointer, newNextOffset, err := d.decodePointer(size, dataOffset)
+		if err != nil {
+			return nil, 0, err
+		}
+		nextOffset = newNextOffset
+
+		// Decode the pointed-to data
+		kindNum, size, dataOffset, err = d.decodeCtrlData(pointer)
 		if err != nil {
 			return nil, 0, err
 		}
-		key, _, err := d.decodeKey(pointer)
-		return key, ptrOffset, err
+
+		// Check for pointer-to-pointer, which is invalid per spec
+		if kindNum == KindPointer {
+			return nil, 0, mmdberrors.NewInvalidDatabaseError(
+				"invalid pointer to pointer at offset %d",
+				pointer,
+			)
+		}
 	}
+
 	if kindNum != KindString {
 		return nil, 0, mmdberrors.NewInvalidDatabaseError(
 			"unexpected type when decoding string: %v",
@@ -398,7 +415,7 @@ func (d *DataDecoder) decodeKey(offset uint) ([]byte, uint, error) {
 	if newOffset > uint(len(d.buffer)) {
 		return nil, 0, mmdberrors.NewOffsetError()
 	}
-	return d.buffer[dataOffset:newOffset], newOffset, nil
+	return d.buffer[dataOffset:newOffset], nextOffset, nil
 }
 
 // NextValueOffset skips ahead to the next value without decoding

internal/decoder/reflection.go

@@ -98,6 +98,14 @@ PATH:
 			if err != nil {
 				return err
 			}
+
+			// Check for pointer-to-pointer after we've already read the data
+			if typeNum == KindPointer {
+				return mmdberrors.NewInvalidDatabaseError(
+					"invalid pointer to pointer at offset %d",
+					pointer,
+				)
+			}
 		}
 
 		switch v := v.(type) {
@@ -512,6 +520,19 @@ func (d *ReflectionDecoder) unmarshalPointer(
 	if err != nil {
 		return 0, err
 	}
+
+	// Check for pointer-to-pointer by looking at what we're about to decode
+	// This is done efficiently by checking the control byte at the pointer location
+	if len(d.buffer) > int(pointer) {
+		controlByte := d.buffer[pointer]
+		if (controlByte >> 5) == 1 { // KindPointer = 1, stored in top 3 bits
+			return 0, mmdberrors.NewInvalidDatabaseError(
+				"invalid pointer to pointer at offset %d",
+				pointer,
+			)
+		}
+	}
+
 	_, err = d.decodeValue(pointer, result, depth)
 	return newOffset, err
 }