Merge pull request #706 from imazen/fix/mozjpeg-aliasing-ub

lilith · web-flow · commit 8f44445122a4 · 2026-03-31T21:06:27.000-06:00
fix: eliminate mutable aliasing UB in mozjpeg decoder callbacks
diff --git a/imageflow_core/src/codecs/mozjpeg_decoder.rs b/imageflow_core/src/codecs/mozjpeg_decoder.rs
@@ -421,9 +421,9 @@ impl MzDec {
 
     #[unsafe(no_mangle)]
     extern "C" fn source_fill_buffer(
-        codec_info: &mut mozjpeg_sys::jpeg_decompress_struct,
+        _codec_info: *mut mozjpeg_sys::jpeg_decompress_struct,
         custom_state: *mut c_void,
-        suspend_io: &mut bool,
+        _suspend_io: *mut bool,
     ) -> bool {
         if custom_state.is_null() {
             return false;
@@ -470,7 +470,7 @@ impl MzDec {
 
     #[unsafe(no_mangle)]
     extern "C" fn source_skip_bytes(
-        codec_info: &mut mozjpeg_sys::jpeg_decompress_struct,
+        _codec_info: *mut mozjpeg_sys::jpeg_decompress_struct,
         custom_state: *mut c_void,
         mut byte_count: c_long,
     ) -> bool {
@@ -480,7 +480,7 @@ impl MzDec {
         if byte_count > 0 {
             // Re-derive decoder/source_manager references each iteration to avoid
             // holding &mut MzDec across the source_fill_buffer call (which also
-            // derives &mut MzDec from custom_state, causing mutable aliasing UB).
+            // derives &mut MzDec from custom_state).
             loop {
                 let decoder = unsafe { &mut *(custom_state as *mut MzDec) };
                 let source_manager = decoder.source_manager.as_deref_mut().unwrap();
@@ -492,7 +492,8 @@ impl MzDec {
                 let _ = source_manager;
                 let _ = decoder;
                 let mut suspend = false;
-                if !MzDec::source_fill_buffer(codec_info, custom_state, &mut suspend) {
+                if !MzDec::source_fill_buffer(_codec_info, custom_state, &mut suspend as *mut bool)
+                {
                     let decoder = unsafe { &mut *(custom_state as *mut MzDec) };
                     decoder.error = decoder.error.clone().map(|e| e.at(here!()));
                     return false;
diff --git a/imageflow_core/src/ffi/c_interop.rs b/imageflow_core/src/ffi/c_interop.rs
@@ -81,11 +81,11 @@ type WrapJpegErrorHandler = extern "C" fn(
 ) -> bool;
 
 type WrapJpegSourceManagerFunc =
-    extern "C" fn(&mut mozjpeg_sys::jpeg_decompress_struct, *mut c_void) -> bool;
+    extern "C" fn(*mut mozjpeg_sys::jpeg_decompress_struct, *mut c_void) -> bool;
 type WrapJpegSourceManagerFillBufferFunc =
-    extern "C" fn(&mut mozjpeg_sys::jpeg_decompress_struct, *mut c_void, &mut bool) -> bool;
+    extern "C" fn(*mut mozjpeg_sys::jpeg_decompress_struct, *mut c_void, *mut bool) -> bool;
 type WrapJpegSourceManagerSkipBytesFunc =
-    extern "C" fn(&mut mozjpeg_sys::jpeg_decompress_struct, *mut c_void, c_long) -> bool;
+    extern "C" fn(*mut mozjpeg_sys::jpeg_decompress_struct, *mut c_void, c_long) -> bool;
 
 // typedef  bool (*wrap_png_custom_read_function) (png_structp png_ptr, void * custom_state, uint8_t * buffer, size_t bytes_requested, size_t * out_bytes_read);
 type WrapPngCustomReadFunction =
