Do not panic on overlong input or output

src/error.rs

@@ -17,6 +17,10 @@ pub(crate) enum ParseErrorKind {
     ///
     /// The error index points to the first byte of the address.
     InvalidIpv6Addr,
+    /// The input length is greater than [`u32::MAX`].
+    ///
+    /// The error index equals `0`.
+    OverlongInput,
 }
 
 /// An error occurred when parsing URI references.
@@ -63,6 +67,7 @@ impl<I> std::error::Error for ParseError<I> {}
 pub(crate) enum ResolveErrorKind {
     NonAbsoluteBase,
     NonHierarchicalBase,
+    OverlongOutput,
     // PathUnderflow,
 }
 

src/fmt.rs

@@ -46,6 +46,7 @@ impl<I> Display for ParseError<I> {
             ParseErrorKind::InvalidOctet => "invalid percent-encoded octet at index ",
             ParseErrorKind::UnexpectedChar => "unexpected character at index ",
             ParseErrorKind::InvalidIpv6Addr => "invalid IPv6 address at index ",
+            ParseErrorKind::OverlongInput => "overlong input at index ",
         };
         write!(f, "{}{}", msg, self.index)
     }
@@ -58,6 +59,7 @@ impl Display for ResolveError {
             ResolveErrorKind::NonHierarchicalBase => {
                 "resolving non-same-document relative reference against non-hierarchical base URI"
             }
+            ResolveErrorKind::OverlongOutput => "overlong output",
         };
         f.write_str(msg)
     }

src/lib.rs

@@ -134,15 +134,12 @@ impl<T> Uri<T> {
     /// # Errors
     ///
     /// Returns `Err` if the string does not match
-    /// the [`URI-reference`] ABNF rule from RFC 3986.
+    /// the [`URI-reference`] ABNF rule from RFC 3986 or
+    /// if the input length is greater than [`u32::MAX`].
     ///
     /// You may recover an input [`String`] by calling [`ParseError::into_input`].
     ///
     /// [`URI-reference`]: https://datatracker.ietf.org/doc/html/rfc3986/#section-4.1
-    ///
-    /// # Panics
-    ///
-    /// Panics if the input length is greater than [`u32::MAX`].
     pub fn parse<I>(input: I) -> Result<Self, I::Err>
     where
         I: ToUri<Val = T>,
@@ -334,11 +331,8 @@ impl<'i, 'o, T: BorrowOrShare<'i, 'o, str>> Uri<T> {
     ///
     /// # Errors
     ///
-    /// Returns `Err` if any of the above two **must**s is violated.
-    ///
-    /// # Panics
-    ///
-    /// Panics if the output length would be greater than [`u32::MAX`].
+    /// Returns `Err` if any of the above two **must**s is violated or
+    /// if the output length would be greater than [`u32::MAX`].
     ///
     /// # Examples
     ///

src/parser.rs

@@ -10,9 +10,20 @@ use core::{
 
 type Result<T> = core::result::Result<T, crate::error::ParseError>;
 
+/// Returns immediately with an error.
+macro_rules! err {
+    ($index:expr, $kind:ident) => {
+        return Err(crate::error::ParseError {
+            index: $index as u32,
+            kind: crate::error::ParseErrorKind::$kind,
+            input: (),
+        })
+    };
+}
+
 pub(crate) fn parse(bytes: &[u8]) -> Result<Meta> {
     if bytes.len() > u32::MAX as usize {
-        panic!("input length > u32::MAX");
+        err!(0, OverlongInput);
     }
 
     let mut parser = Parser {
@@ -23,17 +34,6 @@ pub(crate) fn parse(bytes: &[u8]) -> Result<Meta> {
     Ok(parser.out)
 }
 
-/// Returns immediately with an error.
-macro_rules! err {
-    ($index:expr, $kind:ident) => {
-        return Err(crate::error::ParseError {
-            index: $index as u32,
-            kind: crate::error::ParseErrorKind::$kind,
-            input: (),
-        })
-    };
-}
-
 /// URI parser.
 ///
 /// # Invariants

src/resolver.rs

@@ -128,9 +128,11 @@ pub(crate) fn resolve(
         buf.push_str(fragment.as_str());
     }
 
-    assert!(buf.len() <= u32::MAX as usize, "output length > u32::MAX");
-
-    Ok(Uri { val: buf, meta })
+    if buf.len() <= u32::MAX as usize {
+        Ok(Uri { val: buf, meta })
+    } else {
+        Err(ResolveError(ResolveErrorKind::OverlongOutput))
+    }
 }
 
 /// Removes dot segments from an absolute path.