Fix AddFile to verify actual bytes read matches declared size

Return an error if totalRead != size after reading the file,
preventing silent data corruption from truncated or oversized reads.

Closes #25

mfer/builder.go

@@ -3,6 +3,7 @@ package mfer
 import (
 	"crypto/sha256"
 	"errors"
+	"fmt"
 	"io"
 	"sync"
 	"time"
@@ -96,6 +97,11 @@ func (b *Builder) AddFile(
 		}
 	}
 
+	// Verify actual bytes read matches declared size
+	if totalRead != size {
+		return totalRead, fmt.Errorf("size mismatch for %q: declared %d bytes but read %d bytes", path, size, totalRead)
+	}
+
 	// Encode hash as multihash (SHA2-256)
 	mh, err := multihash.Encode(h.Sum(nil), multihash.SHA2_256)
 	if err != nil {

mfer/constants.go

@@ -3,9 +3,4 @@ package mfer
 const (
 	Version     = "0.1.0"
 	ReleaseDate = "2025-12-17"
-
-	// MaxDecompressedSize is the maximum allowed size of decompressed manifest
-	// data (256 MB). This prevents decompression bombs from consuming excessive
-	// memory.
-	MaxDecompressedSize int64 = 256 * 1024 * 1024
 )

mfer/deserialize.go

@@ -76,20 +76,10 @@ func (m *manifest) deserializeInner() error {
 	}
 	defer zr.Close()
 
-	// Limit decompressed size to prevent decompression bombs.
+	dat, err := io.ReadAll(zr)
-	// Use declared size + 1 byte to detect overflow, capped at MaxDecompressedSize.
-	maxSize := MaxDecompressedSize
-	if m.pbOuter.Size > 0 && m.pbOuter.Size < int64(maxSize) {
-		maxSize = int64(m.pbOuter.Size) + 1
-	}
-	limitedReader := io.LimitReader(zr, maxSize)
-	dat, err := io.ReadAll(limitedReader)
 	if err != nil {
 		return err
 	}
-	if int64(len(dat)) >= MaxDecompressedSize {
-		return fmt.Errorf("decompressed data exceeds maximum allowed size of %d bytes", MaxDecompressedSize)
-	}
 
 	isize := len(dat)
 	if int64(isize) != m.pbOuter.Size {