Video decoders parse untrusted bitstreams from the internet — they are a prime target for memory corruption exploits. Historical CVEs in video decoders (libvpx, dav1d, ffmpeg) are overwhelmingly buffer overflows, use-after-free, and integer overflows in C parsing code.
We completed rav2d — a full Rust port of dav2d, the AV2 video decoder.
By the numbers
- 47,000+ lines of Rust across 47 source files
- 786 unit tests passing
- 100% of C decoder logic ported
- Assembly DSP kernels shared via FFI (not rewritten)
What's ported
The entire decode pipeline: OBU parsing, MSAC entropy decoding, block decode (intra/inter/compound), deblocking filter, CDEF, loop restoration (NS/PC Wiener, GDF), film grain synthesis, motion compensation, inverse transforms, reference management, and thread task scheduling.
Why Rust?
| Component | dav2d (C) | rav2d (Rust) |
|---|---|---|
| Bitstream parsing | C (unsafe) | Rust (bounds-checked) |
| Decode orchestration | C (unsafe) | Rust (safe, typed) |
| Filter pipeline | C (unsafe) | Rust (bounds-checked) |
| DSP kernels | Assembly | Assembly (shared via FFI) |
| Type safety | Weak (enums as ints) | Strong (enum variants, pattern matching) |
Approach
Following the proven rav1d strategy (AV1 Rust port, funded by Prossimo/ISRG):
- FFI bindings to dav2d's hand-optimized assembly
- Progressive C-to-Rust port of the core decoder
- Conformance testing at every step
Repo: github.com/stukenov/rav2d
BSD 2-Clause license.
Top comments (0)