fix(unsafe): add SAFETY comment and runtime guards for from_raw_parts in drain_encoder

Issue: #5 - Read AVPacket fields into local variable to avoid repeated pointer deref - Guard against size <= 0 (prevents c_int negative wrap to huge usize) - Guard against null data pointer (from_raw_parts(null, 0) is UB in Rust) - Add SAFETY comment matching existing codebase convention (30+ instances)
2026-06-06 11:56:47 +08:00
parent 9a5b09cd7f
commit fd170b66d9
1 changed files with 12 additions and 7 deletions
--- a/src/avhw.rs
+++ b/src/avhw.rs
@@ -866,13 +866,18 @@ impl SwEncState {
                    self.frames_written = true;
                }
                Some(FrameOutput::Channel(ref tx)) => {
-                    let data: &[u8] = unsafe {
-                        std::slice::from_raw_parts(
-                            (*pkt.as_mut_ptr()).data,
-                            (*pkt.as_mut_ptr()).size as usize,
-                        )
-                    };
-                    let _ = tx.send(data.to_vec());
+                    let raw = unsafe { *pkt.as_mut_ptr() };
+                    if raw.size > 0 && !raw.data.is_null() {
+                        // SAFETY: `pkt` is a valid AVPacket just filled by a successful
+                        // `avcodec_receive_packet` call. We checked `size > 0` and
+                        // `data` is non-null, so `data` points to `size` initialized
+                        // bytes owned by the packet. `u8` has alignment 1, and the
+                        // slice is copied into a Vec before the packet is unreffed.
+                        let data: &[u8] = unsafe {
+                            std::slice::from_raw_parts(raw.data, raw.size as usize)
+                        };
+                        let _ = tx.send(data.to_vec());
+                    }
                }
                None => {}
            }