webmproject · y-guyon · Apr 11, 2024 · riking · May 20, 2024
diff --git a/src/capi/decoder.rs b/src/capi/decoder.rs
@@ -125,7 +125,7 @@ pub unsafe extern "C" fn crabby_avifDecoderSetIOMemory(
     size: usize,
 ) -> avifResult {
     let rust_decoder = unsafe { &mut (*decoder).rust_decoder };
-    to_avifResult(&rust_decoder.set_io_raw(data, size))
+    to_avifResult(unsafe { &rust_decoder.set_io_raw(data, size) })
 }
 
 #[no_mangle]

diff --git a/src/capi/io.rs b/src/capi/io.rs
@@ -225,7 +225,7 @@ pub unsafe extern "C" fn crabby_avifIOCreateMemoryReader(
     size: usize,
 ) -> *mut avifIO {
     let cio = Box::new(avifCIOWrapper {
-        io: Box::new(DecoderRawIO::create(data, size)),
+        io: Box::new(unsafe { DecoderRawIO::create(data, size) }),
         buf: Vec::new(),
     });
     let io = Box::new(avifIO {

diff --git a/src/capi/reformat.rs b/src/capi/reformat.rs
@@ -54,7 +54,7 @@ impl From<*mut avifRGBImage> for rgb::Image {
             premultiply_alpha: rgb.alpha_premultiplied,
             is_float: rgb.is_float,
             max_threads: rgb.max_threads,
-            pixels: Some(Pixels::from_raw_pointer(rgb.pixels, rgb.depth)),
+            pixels: Some(unsafe { Pixels::from_raw_pointer(rgb.pixels, rgb.depth) }),
             row_bytes: rgb.row_bytes,
         };
         let format = match (rgb.format, rgb.ignore_alpha) {
@@ -87,10 +87,10 @@ impl From<*const avifImage> for image::Image {
             alpha_present: !image.alphaPlane.is_null(),
             alpha_premultiplied: image.alphaPremultiplied == AVIF_TRUE,
             planes: [
-                Some(Pixels::from_raw_pointer(image.yuvPlanes[0], image.depth)),
-                Some(Pixels::from_raw_pointer(image.yuvPlanes[1], image.depth)),
-                Some(Pixels::from_raw_pointer(image.yuvPlanes[2], image.depth)),
-                Some(Pixels::from_raw_pointer(image.alphaPlane, image.depth)),
+                Some(unsafe { Pixels::from_raw_pointer(image.yuvPlanes[0], image.depth) }),
+                Some(unsafe { Pixels::from_raw_pointer(image.yuvPlanes[1], image.depth) }),
+                Some(unsafe { Pixels::from_raw_pointer(image.yuvPlanes[2], image.depth) }),
+                Some(unsafe { Pixels::from_raw_pointer(image.alphaPlane, image.depth) }),
             ],
             row_bytes: [
                 image.yuvRowBytes[0],

diff --git a/src/codecs/dav1d.rs b/src/codecs/dav1d.rs
@@ -150,10 +150,9 @@ impl Decoder for Dav1d {
                 image.width = dav1d_picture.p.w as u32;
                 image.height = dav1d_picture.p.h as u32;
                 image.depth = dav1d_picture.p.bpc as u8;
-                image.planes[3] = Some(Pixels::from_raw_pointer(
-                    dav1d_picture.data[0] as *mut u8,
-                    image.depth as u32,
-                ));
+                image.planes[3] = Some(unsafe {
+                    Pixels::from_raw_pointer(dav1d_picture.data[0] as *mut u8, image.depth as u32)
+                });
                 image.row_bytes[3] = dav1d_picture.stride[0] as u32;
                 image.image_owns_planes[3] = false;
                 let seq_hdr = unsafe { &(*dav1d_picture.seq_hdr) };
@@ -180,10 +179,12 @@ impl Decoder for Dav1d {
                 image.matrix_coefficients = (seq_hdr.mtrx as u16).into();
 
                 for plane in 0usize..image.yuv_format.plane_count() {
-                    image.planes[plane] = Some(Pixels::from_raw_pointer(
-                        dav1d_picture.data[plane] as *mut u8,
-                        image.depth as u32,
-                    ));
+                    image.planes[plane] = Some(unsafe {
+                        Pixels::from_raw_pointer(
+                            dav1d_picture.data[plane] as *mut u8,
+                            image.depth as u32,
+                        )
+                    });
                     let stride_index = if plane == 0 { 0 } else { 1 };
                     image.row_bytes[plane] = dav1d_picture.stride[stride_index] as u32;
                     image.image_owns_planes[plane] = false;

diff --git a/src/decoder/mod.rs b/src/decoder/mod.rs
@@ -302,9 +302,11 @@ impl Decoder {
         self.parse_state = ParseState::None;
     }
 
-    // This has an unsafe block and is intended for use only from the C API.
-    pub fn set_io_raw(&mut self, data: *const u8, size: usize) -> AvifResult<()> {
-        self.io = Some(Box::new(DecoderRawIO::create(data, size)));
+    /// # Safety
+    ///
+    /// This has an unsafe block and is intended for use only from the C API.
-    /// This has an unsafe block and is intended for use only from the C API.
+    /// This function should be called from the C API entrypoints. The function never fails.
+    ///
+    /// # Safety
+    ///
+    /// The memory at `data` must be valid for `size` bytes.
-    /// This has an unsafe block and is intended for use only from the C API.
+    /// This function should be called from the C API entrypoints. The function never fails.
+    ///
+    /// # Safety
+    ///
+    /// The memory at `data` must be valid for `size` bytes.
+    pub unsafe fn set_io_raw(&mut self, data: *const u8, size: usize) -> AvifResult<()> {
+        self.io = Some(Box::new(unsafe { DecoderRawIO::create(data, size) }));
         self.parse_state = ParseState::None;
         Ok(())
     }

diff --git a/src/internal_utils/io.rs b/src/internal_utils/io.rs
@@ -67,7 +67,7 @@ pub struct DecoderRawIO<'a> {
 }
 
 impl DecoderRawIO<'_> {
-    pub fn create(data: *const u8, size: usize) -> Self {
+    pub unsafe fn create(data: *const u8, size: usize) -> Self {
         Self {
             data: unsafe { std::slice::from_raw_parts(data, size) },
         }

diff --git a/src/internal_utils/pixels.rs b/src/internal_utils/pixels.rs
@@ -13,7 +13,7 @@ pub enum Pixels {
 }
 
 impl Pixels {
-    pub fn from_raw_pointer(ptr: *mut u8, depth: u32) -> Self {
+    pub unsafe fn from_raw_pointer(ptr: *mut u8, depth: u32) -> Self {
         if depth > 8 {
             Pixels::Pointer16(ptr as *mut u16)
         } else {

diff --git a/src/reformat/alpha.rs b/src/reformat/alpha.rs
@@ -247,10 +247,8 @@ mod tests {
             buffer.reserve_exact(buffer_size);
             buffer.resize(buffer_size, 0);
             // Use a pointer to mimic C API calls.
-            rgb.pixels = Some(Pixels::from_raw_pointer(
-                buffer.as_mut_ptr(),
-                rgb.depth as u32,
-            ));
+            rgb.pixels =
+                Some(unsafe { Pixels::from_raw_pointer(buffer.as_mut_ptr(), rgb.depth as u32) });
             rgb.row_bytes = width * 4 * pixel_size;
         } else {
             rgb.allocate()?;

diff --git a/tests/decoder_tests.rs b/tests/decoder_tests.rs
@@ -333,9 +333,11 @@ fn raw_io() {
     let data =
         std::fs::read(get_test_file("colors-animated-8bpc.avif")).expect("Unable to read file");
     let mut decoder = decoder::Decoder::default();
-    let _ = decoder
-        .set_io_raw(data.as_ptr(), data.len())
-        .expect("Failed to set IO");
+    unsafe {
+        let _ = decoder
+            .set_io_raw(data.as_ptr(), data.len())
+            .expect("Failed to set IO");
+    }
     assert!(decoder.parse().is_ok());
     assert_eq!(decoder.image_count, 5);
     if !HAS_DECODER {