Struct DecoderLimits 

#[non_exhaustive]
pub struct DecoderLimits {
    pub max_pixels_per_frame: u64,
    pub max_alloc_bytes_per_frame: u64,
    pub max_alloc_count_per_frame: u32,
    pub max_arenas_in_flight: u8,
    pub max_decoded_audio_seconds_per_packet: u32,
}

Caps that bound a single decoder’s peak resource use.

Defaults are intentionally generous (32 k × 32 k pixels, 1 GiB per arena, 60 s of decoded audio per packet, …) so existing real-world media decodes unchanged. Callers wanting tighter bounds (e.g. a server processing untrusted uploads) should construct DecoderLimits explicitly with the builder methods.

Copy and Default so the struct travels through hot paths without indirection. #[non_exhaustive] so future caps can be added without breaking semver — use DecoderLimits::default and the with_* builder methods rather than struct-literal syntax.

Fields (Non-exhaustive)

Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.

max_pixels_per_frame: u64

Hard cap on width × height for a single decoded video frame. Header-parse code computes this product (using u64 to avoid u32::MAX × u32::MAX overflow) and compares against this cap before allocating any plane. Default: 32_768 × 32_768 = 1_073_741_824 pixels (4 GiB at 32-bpp / 1 GiB at 8-bpp).

max_alloc_bytes_per_frame: u64

Hard cap on the total bytes any single decoded frame may consume across all of its plane allocations. Also defines the per-arena capacity — see crate::arena::ArenaPool::new. Default: 1 GiB. Tighter than max_pixels_per_frame × bytes_per_pixel for catching pathological pixel formats (e.g. a 16-bit-per-channel RGBA surface at near-cap dimensions).

max_alloc_count_per_frame: u32

Hard cap on the count of allocations performed inside a single arena, regardless of total bytes. Catches small-alloc DoS (e.g. one alloc per macroblock × millions of macroblocks where the bytes-per-frame check would be too loose to fire). Default: 1_000_000 allocations.

max_arenas_in_flight: u8

Hard cap on how many arenas a single decoder may have in flight at once — i.e. the size of the per-decoder ArenaPool. When all arenas are checked out the next lease() returns Error::ResourceExhausted, providing automatic backpressure: a slow downstream consumer stalls the decoder rather than letting it grow memory unboundedly. Default: 8 arenas.

max_decoded_audio_seconds_per_packet: u32

Audio-only cap on the wall-clock duration (in seconds) of decoded samples a single packet may produce. Header-parse code computes (samples_per_frame × frames_per_packet) / sample_rate and rejects packets whose declared output exceeds this. Default: 60 seconds — far more than any real-world AAC/Opus/etc. packet would ever produce, but finite enough to refuse a malformed packet that claims hours of output.

Implementations

impl DecoderLimits

pub fn with_max_pixels_per_frame(self, n: u64) -> Self

Tighten the per-frame pixel cap. See DecoderLimits::max_pixels_per_frame.

pub fn with_max_alloc_bytes_per_frame(self, n: u64) -> Self

Tighten the per-frame allocation byte cap (also defines arena capacity). See DecoderLimits::max_alloc_bytes_per_frame.

pub fn with_max_alloc_count_per_frame(self, n: u32) -> Self

Tighten the per-frame allocation count cap. See DecoderLimits::max_alloc_count_per_frame.

pub fn with_max_arenas_in_flight(self, n: u8) -> Self

Tighten the per-decoder pool size. See DecoderLimits::max_arenas_in_flight.

pub fn with_max_decoded_audio_seconds_per_packet(self, n: u32) -> Self

Tighten the per-packet decoded-audio duration cap. See DecoderLimits::max_decoded_audio_seconds_per_packet.

Trait Implementations

impl Clone for DecoderLimits

fn clone(&self) -> DecoderLimits

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for DecoderLimits

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for DecoderLimits

fn default() -> Self

Returns the “default value” for a type.

impl PartialEq for DecoderLimits

fn eq(&self, other: &DecoderLimits) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Copy for DecoderLimits

impl Eq for DecoderLimits

impl StructuralPartialEq for DecoderLimits