fix(unsafe): add SAFETY comment and runtime guards for from_raw_parts in drain_encoder

Issue: #5 - Read AVPacket fields into local variable to avoid repeated pointer deref - Guard against size <= 0 (prevents c_int negative wrap to huge usize) - Guard against null data pointer (from_raw_parts(null, 0) is UB in Rust) - Add SAFETY comment matching existing codebase convention (30+ instances)
2026-06-06 11:56:47 +08:00
parent 9a5b09cd7f
commit fd170b66d9
1 changed files with 12 additions and 7 deletions
--- a/src/avhw.rs
+++ b/src/avhw.rs
@@ -866,13 +866,18 @@ impl SwEncState {
                    self.frames_written = true;
                }
                Some(FrameOutput::Channel(ref tx)) => {
-                    let data: &[u8] = unsafe {
+                    let raw = unsafe { *pkt.as_mut_ptr() };
-                        std::slice::from_raw_parts(
+                    if raw.size > 0 && !raw.data.is_null() {
-                            (*pkt.as_mut_ptr()).data,
+                        // SAFETY: `pkt` is a valid AVPacket just filled by a successful
-                            (*pkt.as_mut_ptr()).size as usize,
+                        // `avcodec_receive_packet` call. We checked `size > 0` and
-                        )
+                        // `data` is non-null, so `data` points to `size` initialized
-                    };
+                        // bytes owned by the packet. `u8` has alignment 1, and the
-                    let _ = tx.send(data.to_vec());
+                        // slice is copied into a Vec before the packet is unreffed.
                        let data: &[u8] = unsafe {
                            std::slice::from_raw_parts(raw.data, raw.size as usize)
                        };
                        let _ = tx.send(data.to_vec());
                    }
                }
                None => {}
            }