Expand description
Decoder DoS-protection limits.
DecoderLimits is a small Copy + Default configuration struct
threaded through CodecParameters so every
decoder constructed from a stream sees the same caps. Each cap is a
conservative default chosen to be generous enough that no real-world
file trips it but tight enough that a malicious input (huge declared
dimensions in a tiny container, decompression bombs, etc.) returns
Error::ResourceExhausted instead
of OOM-ing the process.
Two layers consume these caps:
-
Header-parse layer. Every decoder, immediately after parsing a stream/sequence header that declares dimensions, channel/group counts, or sample-rate × duration products, must check those declared values against
DecoderLimits::max_pixels_per_frame/DecoderLimits::max_decoded_audio_seconds_per_packetbefore any allocation. A 1 GiB declared frame in a 4 KiB file should error here without ever callingVec::with_capacity. -
Arena layer.
ArenaPoolhonoursDecoderLimits::max_arenas_in_flight(pool size) andDecoderLimits::max_alloc_bytes_per_frame(arena capacity).DecoderLimits::max_alloc_count_per_framecatches small-alloc DoS where each individual allocation is tiny but the count grows unbounded (e.g. one alloc per macroblock × millions of macroblocks).
The struct is Copy so threading it through call chains never
involves clones or refcounts. It is also #[non_exhaustive] so
additional caps can be added without a semver break — construct
defaults with DecoderLimits::default and use the builder methods
to tighten individual fields.
Structs§
- Decoder
Limits - Caps that bound a single decoder’s peak resource use.