From 3b1767943f29e40bb03645e1d16e43c123a6e7a5 Mon Sep 17 00:00:00 2001 From: Matthew Gregan Date: Sat, 14 Mar 2026 10:24:36 +1300 Subject: [PATCH 1/6] ffi: Reject out-of-range channel count and sample rate at the C boundary. QuickTime v2 audio sample entries can carry a u32 channel count and f64 sample rate that don't fit the u16/u32 C-API fields. Replace the silent truncating casts with checked conversions that return Invalid. --- mp4parse_capi/src/lib.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/mp4parse_capi/src/lib.rs b/mp4parse_capi/src/lib.rs index af104a31..771f1d6c 100644 --- a/mp4parse_capi/src/lib.rs +++ b/mp4parse_capi/src/lib.rs @@ -875,8 +875,12 @@ fn get_track_audio_info( } } }; - sample_info.channels = audio.channelcount as u16; + sample_info.channels = + u16::try_from(audio.channelcount).map_err(|_| Mp4parseStatus::Invalid)?; sample_info.bit_depth = audio.samplesize; + if audio.samplerate < 0.0 || audio.samplerate > u32::MAX as f64 { + return Err(Mp4parseStatus::Invalid); + } sample_info.sample_rate = audio.samplerate as u32; // sample_info.profile is handled below on a per case basis From 088fe334416bbb565ba4a1f82e0754c20d1a7852 Mon Sep 17 00:00:00 2001 From: Matthew Gregan Date: Sat, 14 Mar 2026 10:24:53 +1300 Subject: [PATCH 2/6] ffi: Add null checks for out-pointers in get_indice_table and is_fragmented. Both functions dereferenced their out-pointer without first checking for null, unlike every other C API entry point. Add the missing guards so callers that pass null get BadArg instead of a null-deref. --- mp4parse_capi/src/lib.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mp4parse_capi/src/lib.rs b/mp4parse_capi/src/lib.rs index 771f1d6c..2cb7b512 100644 --- a/mp4parse_capi/src/lib.rs +++ b/mp4parse_capi/src/lib.rs @@ -1456,7 +1456,7 @@ pub unsafe extern "C" fn mp4parse_get_indice_table( track_id: u32, indices: *mut Mp4parseByteData, ) -> Mp4parseStatus { - if parser.is_null() { + if parser.is_null() || indices.is_null() { return Mp4parseStatus::BadArg; } @@ -1635,7 +1635,7 @@ pub unsafe extern "C" fn mp4parse_is_fragmented( track_id: u32, fragmented: *mut u8, ) -> Mp4parseStatus { - if parser.is_null() { + if parser.is_null() || fragmented.is_null() { return Mp4parseStatus::BadArg; } From d266be1f354963b767e47374f13aee8b1372e558 Mon Sep 17 00:00:00 2001 From: Matthew Gregan Date: Sat, 14 Mar 2026 11:22:26 +1300 Subject: [PATCH 3/6] ffi: Initialize AVIF output structs to defaults before populating. Matches the pattern used by all other FFI getters, ensuring C callers always see valid (zeroed) fields even on error paths. --- mp4parse/src/lib.rs | 2 ++ mp4parse_capi/src/lib.rs | 10 ++++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/mp4parse/src/lib.rs b/mp4parse/src/lib.rs index 4aade002..b4854896 100644 --- a/mp4parse/src/lib.rs +++ b/mp4parse/src/lib.rs @@ -3908,8 +3908,10 @@ fn read_colr( /// Rotation in the positive (that is, anticlockwise) direction /// Visualized in terms of starting with (⥠) UPWARDS HARPOON WITH BARB LEFT FROM BAR /// similar to a DIGIT ONE (1) +#[derive(Default)] pub enum ImageRotation { /// ⥠ UPWARDS HARPOON WITH BARB LEFT FROM BAR + #[default] D0, /// ⥞ LEFTWARDS HARPOON WITH BARB DOWN FROM BAR D90, diff --git a/mp4parse_capi/src/lib.rs b/mp4parse_capi/src/lib.rs index 2cb7b512..c7ae34ba 100644 --- a/mp4parse_capi/src/lib.rs +++ b/mp4parse_capi/src/lib.rs @@ -385,7 +385,7 @@ pub enum Mp4parseAvifLoopMode { } #[repr(C)] -#[derive(Debug)] +#[derive(Debug, Default)] pub struct Mp4parseAvifInfo { pub premultiplied_alpha: bool, pub major_brand: [u8; 4], @@ -427,7 +427,7 @@ pub struct Mp4parseAvifInfo { } #[repr(C)] -#[derive(Debug)] +#[derive(Debug, Default)] pub struct Mp4parseAvifImage { pub primary_image: Mp4parseByteData, /// If no alpha item exists, members' `.length` will be 0 and `.data` will be null @@ -1240,6 +1240,9 @@ pub unsafe extern "C" fn mp4parse_avif_get_info( return Mp4parseStatus::BadArg; } + // Initialize fields to default values to ensure all fields are always valid. + *avif_info = Default::default(); + if let Ok(info) = mp4parse_avif_get_info_safe((*parser).context()) { *avif_info = info; Mp4parseStatus::Ok @@ -1422,6 +1425,9 @@ pub unsafe extern "C" fn mp4parse_avif_get_image( return Mp4parseStatus::BadArg; } + // Initialize fields to default values to ensure all fields are always valid. + *avif_image = Default::default(); + if let Ok(image) = mp4parse_avif_get_image_safe(&*parser) { *avif_image = image; Mp4parseStatus::Ok From c6a75945a035c23109c0e3c758959a7acbbdb142 Mon Sep 17 00:00:00 2001 From: Matthew Gregan Date: Sat, 14 Mar 2026 11:22:41 +1300 Subject: [PATCH 4/6] ffi: Reject timescales that don't fit in u32 instead of truncating. --- mp4parse_capi/src/lib.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mp4parse_capi/src/lib.rs b/mp4parse_capi/src/lib.rs index c7ae34ba..1b3d102b 100644 --- a/mp4parse_capi/src/lib.rs +++ b/mp4parse_capi/src/lib.rs @@ -724,7 +724,10 @@ pub unsafe extern "C" fn mp4parse_get_track_info( let track = &context.tracks[track_index]; if let (Some(timescale), Some(context_timescale)) = (track.timescale, context.timescale) { - info.time_scale = timescale.0 as u32; + info.time_scale = match timescale.0.try_into() { + Ok(v) => v, + Err(_) => return Mp4parseStatus::Invalid, + }; let media_time: CheckedInteger = track .media_time .map_or(0.into(), |media_time| media_time.0.into()); From 7c0833e417a1ddf1435ad1ddaeeea1839ae29f00 Mon Sep 17 00:00:00 2001 From: Matthew Gregan Date: Sat, 14 Mar 2026 11:22:54 +1300 Subject: [PATCH 5/6] ffi: Assert that the read callback does not return more bytes than requested. --- mp4parse_capi/src/lib.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mp4parse_capi/src/lib.rs b/mp4parse_capi/src/lib.rs index 1b3d102b..3e6ac113 100644 --- a/mp4parse_capi/src/lib.rs +++ b/mp4parse_capi/src/lib.rs @@ -543,6 +543,10 @@ impl Read for Mp4parseIo { } let rv = self.read.unwrap()(buf.as_mut_ptr(), buf.len(), self.userdata); if rv >= 0 { + assert!( + rv as usize <= buf.len(), + "read callback returned more bytes than buffer size" + ); Ok(rv as usize) } else { Err(std::io::Error::other("I/O error in Mp4parseIo Read impl")) From fb271cc5eda990a50bf7ac19dfd9f6f1e8b20431 Mon Sep 17 00:00:00 2001 From: Matthew Gregan Date: Sat, 14 Mar 2026 11:23:12 +1300 Subject: [PATCH 6/6] ffi: Document that thread safety is the caller's responsibility. --- mp4parse_capi/src/lib.rs | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/mp4parse_capi/src/lib.rs b/mp4parse_capi/src/lib.rs index 3e6ac113..c0aa4165 100644 --- a/mp4parse_capi/src/lib.rs +++ b/mp4parse_capi/src/lib.rs @@ -345,6 +345,11 @@ pub struct Mp4parseFragmentInfo { /// Parser state for MP4 files, exposed to C callers via raw pointer. /// +/// # Thread safety +/// +/// A parser instance must not be accessed from multiple threads +/// concurrently. The caller is responsible for serializing all access. +/// /// # Pointer stability /// /// Several C API functions return raw pointers into data cached on this @@ -475,6 +480,12 @@ impl ContextParser for Mp4parseParser { } } +/// Parser state for AVIF files, exposed to C callers via raw pointer. +/// +/// # Thread safety +/// +/// A parser instance must not be accessed from multiple threads +/// concurrently. The caller is responsible for serializing all access. #[derive(Default)] pub struct Mp4parseAvifParser { context: AvifContext,