►
Description
Materials for this talk are available at http://dev.unhandledexpression.com/slides/rust-belt-rust-2016/vlc/
VLC media player has a nice goal for users: handle almost any file or protocol you throw at it. Unfortunately, this results in a lot of parser vulnerabilities, because most of the parsing code is handwritten in C. By leveraging Rust and the nom parser combinators library, could we replace some security critical parts of VLC?
http://www.rust-belt-rust.com
A
I'm
so
far,
I'm
rehab
G
to
be
here
in
Pittsburgh's,
my
first
time
in
Pittsburgh
I've,
but
the
project
that's
been
going
on
my
life
like
some
time
now
and
was
the
reason
I
initially
came
to
worst
so
I'm
pretty
pretty
excited
to
talk
to
you
about
that.
So
hope
you
think
I
work
at
clever
cloud,
which
is
a
French
but
from
a
service
hosting
company.
A
So
it's
just
kind
of
like
a
Roku
and
others.
You
get
push
your
card,
it
runs.
We
we've
been
doing
some
rest
a
lot
these
past
few
months.
We
have
actually
a
lot
of
code
in
production.
That's
using
rust.
We
have
replaced
big
parts
of
the
infrastructure
and
I'm
really
happy
to
announce
that
now
you
can
deploy
rust
application
on
our
platform.
So
it's
just
basically
a
Calculon
on
the
cloud
push
on
as
many
instances
you
want.
It's
inverted
machines.
It
works
with
stable
and
I
tested
it
this
morning.
A
It
was
really
really
cool
to
use.
So
I'm
really
really
excited
about
that
because,
like
it
takes
some
time
to
support
new
platform
and
like
rust,
was
so
easy
to
get
there.
It's
amazing.
So
let's
talk
about
this
little
project
but
I
realize
which
I
worked
for
for
a
few
years,
so
Videoland
makes
VLC
media
player,
which
is
a
media
player,
and
the
idea
of
VLC
is
basically
you
drag
and
drop
any
file
and
it
will
work.
A
It
should
work
with,
like
almost
any
format:
HTTP
FTP
as
input
or
file
and
before
MKV
in
any
codec
anything
it
should
work.
So
it's
a
pretty
big
goal,
but
it
kind
of
works
but
doesn't
issue
that
when
you
try
to
handle
like
as
many
foremast
formats
as
existing,
so
as
our
existing
that
you
got
vulnerabilities
like
so
those
are
a
few
months
we
got
in
the
past
few
years.
A
A
Vlc
is
made
in
C,
it's
like
100,000
of
lines
of
C
everywhere
and
all
this
all
the
passing
code
is
written
in
C.
So
we
get
manual
passes
where
people
just
try
to
interpret
the
specification,
do
pointer,
arithmetic
by
hand.
We
have
formats
that
are
very,
very
ambiguous,
very
complex
to
get
right
and
so
at
some
point,
I
thought.
Maybe
there
was
a
better
solution
for
writing
pathos
in
VLC
and
make
the
whole
application
safer.
A
And
that
can
work
in
streaming
like
you
got,
data
coming
and
coming
and
coming,
and
you
have
to
pass
that
very
very
fast
because
if
you've
not
like
blocked
the
rest
of
the
decoding,
so
already
have
one
thing
we
have
memory
safe
stuff.
Can
we
get
like
good
passes
with
rust?
Well,
yes,
but
I
don't
know
if
you've
been
going
to
the
fanzine
workshop
yesterday
but
like
even
if
you
use
rust,
you
will
get
crashes
in
parser
when
you
write
manual
passes
because
it's
still
hard
to
get
right.
A
So
that's
why
I
started
to
work
on
this
little
project
called
Nam
with
the
idea
that
it
should
be
easy
to
write
a
good
passer
and
should
be
a
fun
process.
So
none
basically
is
to
fix
it's
it's.
The
approach
passing
called
the
passer
combinators.
The
idea
is
that
you
have
a
lot
of
small
functions,
a
very,
very
small
rate,
testable
like
you.
Can
you
test
any
part
of
your
parser
and
you
combine
them
in
larger
parser
in
larger
recognizer,
and
then
you
get
like
the
whole
format
and
to
do
that
right.
A
There
are
different
approaches
to
passing
in
rows
and
long
story
short
when
I
started.
Russ
was
very
very
young
and
macros
were
very
good
solution
for
that
and
I
think
they
are
still.
But
you
will.
You
will
see
how
we
really
can
get
so,
basically
rust.
None,
those
are
just
functions.
One
attack
an
input,
type,
an
output,
type
and
rare
type,
and
when
you
get
input
into
a
function
it
will
get
ever
incomplete
to
say:
okay
I
need
more
data,
which
is
very
useful
when
you're
doing
streaming
like.
A
Maybe
you
need
to
fill
up
the
buffer
a
bit
more.
No
Don
contains
the
remaining
input.
What
has
not
been
consumed
and
the
output
beta?
So
it's
it's
really
simple,
all
the
non
passers
at
this
format.
This
is
why
I
can
combine
them
very
easy
because
they
all
follow
the
same.
The
same
type,
so
yeah
macros
are
hard
right,
yeah,
not
so
much.
This
is
a
posture
that
will
recognize
alphabetic,
characters
that
terminate
it
by
digit
characters
and
will
return
the
Alpha.
A
We
are
focused
so
and
this
will
make
a
function
that
takes
byte
slices
input
and
returns
the
backdrops.
So
it's
quite
easy
to
write
when
you
expand
that
the
macro
generate
a
function
that
takes,
as
I
said,
as
input,
bytes
lights,
as
output
with
the
same
lifetime
and
everything
so
like
I
only
get
slice
of
the
input,
data
I,
don't
anything
could
be
passing
fast
and
basically
it's
just
a
big
list
of
pattern
matching.
So
it's
not
so
bad
right.
Well,
actually,
it
looks
not
like
that,
but
it's
not
that
bad
as
well.
A
Just
need
to
be
a
bit
more
explicit
in
the
way
it
does.
The
pattern
matching
lots
of
interesting
features,
so
it
works
on
my
slides.
It
was
all
strings
on
bitstreams.
So,
like
you
have
a
format
that
marks
like
on
an
even
underlined
size
of
a
bit
like
someone
asked
few
weeks
ago,
I
want
to
pass
a
list
of
eleven
bit:
integers
yeah,
Bitcoin,
okay
and
you
have
the
combinators
so
like
there
was
just
before
terminated
pass
the
first
thing
pass.
A
The
second
return
results
for
the
first
and
there
are
lots
of
different
communities
like
many.
We
try
to
apply
again
and
again
and
again
and
return
a
vector
of
the
results
pair
will
generate
a
topper
with
first
result.
Second
result:
peak
will,
recon
will
take,
will
type
a
cell
on
the
input
see
if
it
works
correctly
but
will
not
consume.
Anything.
Just
takes
a
look
at
the
data
and
say:
okay,
it's
alright!
A
A
It
works
on
all
reservations,
no
sense.
Tax
expansion,
no
no
in
portrait
I
would
have
really
liked
to
have
in
portrayed
when
I
starting
Nam.
But
it
was
I,
don't
know
0.89.
It
was
very
variable,
there's
no
STD!
It
can
walk
on
par
with
see
passers
like
if
you
want,
you
can
micro
optimize
your
passer
and
it
will
still
be
safe
and
it
can
be
as
fast
as
sea
basses.
It's
really
really
interesting
to
do
that.
It
works
with
doing
and
as
I
say
it's
just
function.
A
You
can
write
your
own
Jersey,
now
I'm
doing
non
2.0,
I'm
breaking
a
lot
of
stuff
and
I'm
doing
a
lot
of
features.
White
space
passing
so
you
just
rubbed
with
WS
mackerel
and
it
will
interspace
space
passes
between
everything.
So
this
is
for
JSON
parser,
so
it
will
try
to
pass
space.
Then
a
string,
then
a
space,
then
a
tag
and
a
space.
Then
the
value
then
a
space,
and
you
don't
have
to
write
space
everywhere
because
it
was
really
really
annoying
to
do
so.
Now
it's
automatic
with
that!
A
A
So
it's
really
really
cool
to
use
for
some
formats
like
PNG
and
just
a
new
syntax
for
those
who
use
known
before
there's
the
change
stuff,
which
is
very
ugly
to
apply
passes
in
sequence,
so
I
have
do
pass,
which
can
apply,
passer,
take
the
result
of
passer
on
storage
in
variable,
that's
usable
elsewhere,
and
that
you
can
even
return.
So
here
we
recognize
the
42
integer
and
then
we
take
the
the
length
which
is
a
Nunavut,
and
we
take
that
many
bytes
and
we
turn
those
bytes.
A
It's
very
common
pattern
in
binary
formats
to
have
a
tag
that
you
recognize
and
then
the
length
and
then
how
many
bytes
you
have
to
take.
And
after
that
a
few
thing
we
have
custom
input
types.
So
no
more
bytes
slice
or
string
limits.
You
can
do
that
on
anything
else
and
like
you
can
walk
with
Rob's,
where
you
have
a
structure
that
has
a
contiguous
buffer
abstraction,
but
this
is
really
a
lot
of
different
buffers,
so
none
can
work
with
that
and
we
can
do
some
pretty
vector
stuff
with
this.
A
Big
big
performance
gain
for
some
passers
because
I
simplified
you,
your
management,
if
you
don't
need
to
do
it
all
of
the
interesting
stuff
where
you
want
to
know
exactly
which
path
circuit,
which
part
of
the
input
most
people
run
between
that.
So
I
got
a
really
simple
way
to
get
fast
opposite.
So
let's
get
back
to
the
mid
of
the
problem.
Vlc.
A
So
do
you
know
how
a
media
player
works?
Basically,
there's
a
common
pattern
of
the
type
you
have
the
access
you
get
a
file,
you
open
the
file
or
you
open
network
feed.
You
pass
through
the
d-max.
Audrey
mixers
are
the
passes
and
you
send
you
get
multiple
streams
like
an
audio
stream,
a
video
stream,
a
subtitle
or
anything
else,
and
you
send
them
to
the
colors.
The
decoders
will
generate
data
that
can
be
filtered
like
you
can
have
post
processing
stuff
on
the
video
field,
grayscale
or
even
scaling
exactly.
A
A
Everything
like
you
have
the
audio
and
the
video
on
the
subtitle
stream
and
they
all
go
at
the
same
time,
but
they
don't
record
as
fast
like
it's
faster
to
decode,
audio
and
video
and
in
the
end
you
have
to
get
everything
at
the
same
time
when
you
present
to
the
user.
Sometimes
we
get
that
right.
Sometimes
we
don't
so
the
way
VMC
is
made.
A
Is
you
have
applications
like
VLC
the
LMC,
which
is
video,
editing
software,
the
calling
to
Libby
LC,
which
is
nice
usable
interface,
to
build
media
players
and
DiBiase
Co
is
the
manager
which
does
everything
like
load
modules,
provide
IO
access,
synchronizing
everything
and
all
the
modules
link
to
EBL
secure
for
common
features.
They
are
all
DLL
like
VLC,
reveal,
secure
and
all
of
the
VLC
modules
they
all
dynamic
libraries
and
the
modules
link
to
the
basic
of
all
the
features
and
in
VLC
Co
loads,
all
of
the
library
to
see
how
they
work.
A
So
it
seemed
to
make
a
module
in
Rus.
We
have
to
do
like
a
bit
of
dance
with
the
way.
Dll's
are
loaded,
a
module.
So
is
the
nine-minute
library
loaded
by
a
VLC
go?
They
have
to
expose
free
functions
because,
like
BB
scope,
just
try
to
load
library
take
that
function,
call
it.
It
exposed
some
metadata
on
the
whole
on
the
module,
and
then
it
knows
what
the
module
can
do.
So
the
plan,
the
plan
to
start
passing
stuff
with
rust
in
VLC,
is
to
make
a
DLL
in
rust.
That
act.
A
Just
like
a
CDL.
You
can
load
directly
in
the
program
that
can
build
with
cargo,
and
that
will
work
just
like
a
similar
in
VLC.
So
take
the
headers
reproduce
the
stuff
we
need
linked
with
VLC
Co
get
the
functions.
We
need
reproduce
the
module
serve.
Start
writing
the
parser,
because
that's
kind
of
why
I'm
here
and
the
world
start
passing
stuff
so
VLC
is
written
in
C
with
the
VLC
comment
member,
this
kind
of
macro
stuff
in
C.
A
We
always
come
back
to
macros,
I
think
and
this
kind
of
object,
like
interface
in
VLC,
where
there's
a
command
in
a
written
stuff.
So
very
common
numbers
see
that,
like
I
inherit
some
attributes
from
the
VLC
object,
lots
of
things
that
have
can
be
a
bit
hard
to
represent
like
the
Union
types
and
misdeeds,
vectors
and
everything.
So
the
first
thing
you
have
to
do
is
try
to
write
that
in
rust.
A
Since
then,
I
tried
with
several
Benjen
and
it's
able
to
under
the
VLC
other
so
as
I'll
soon
be
able
to
generate
the
whole
bindings
like
that
we've
been
joined,
it
should
be
a
lot
easier
to
do,
but
in
the
meantime,
I
wrote
those
by
hand.
Basically,
you
knew
make
rust
tracks
that
kind
of
act
like
see
spots
with
pointers
everywhere,
and
you
try
to
make
that
a
bit
safer.
So
you
import
functions
like
this
one
to
take
a
stream
and
get
a
better
of
a
specific
size.
A
You
wrap
those
in
functions
that
you
can
use
from
rust
correctly.
You
want
when
you
try
to
do
Fi,
you
want
to
isolate
all
of
the
unsafe
part,
because
you
don't
want
to
sprinkle
unsafe
everywhere
new
card.
So
a
bit
of
work
to
get
the
FFI
running
like
all
of
the
structures
I
need.
He
was
like
a
stream
T
reference,
another
stroke
with
reference.
A
B
A
Model
we
have
to
interface,
we
can
import
code
and
this
is
how
you
declare
module
in
VLC.
Again,
it's
macro
to
say:
okay,
this
is
the
name
of
my
module.
This
is
what
it
can
do.
It
can
take
an
input
stuff
and
you
can
pass
it,
and
here
are
two
functions
open
and
close
that
you
can
use
to
interact
with
that
module
and
Libby
article
just
takes
that
and
loads.
The
module
afterwards
knows
what
to
do
with
that
module.
So
when
you
expand
that
it's
got
some
seeker,
that's
bit
annoying
to
write
so
yeah,
it's.
A
Basically
it's
just
writing
code.
Let's
just
write
that
in
rust.
It's
it's
easy
to
write.
It's
very,
very
easy
to
read:
right,
no,
wait
macro
that
stuff,
yeah,
yeah,
I!
Think
there's
a
common
theme
there
that
I
really
like
micros
I,
can
help
you
in
that
case,
it's
really
useful
to
do
so.
You
see
I
declare
the
function.
Vlc
entry
like
the
way
it's
done
in
C.
A
You
have
the
VLC
entry
function
there,
okay,
so
this
is
how
the
Lib
you
see,
the
VLC
module
will
be
loaded
and
from
there
okay,
you
can
start
passing
stuff
flash
video,
it's
a
format.
That's
very
simple,
like
he
took
me
like
less
than
two
hours
to
write.
Most
of
the
format
got
audio
video,
a
few
codecs
that
are
mostly
outdated
and
here's
the
beginning
of
the
format
like
you
have
F
and
V
Charles
at
the
beginning.
Then
a
version
number
then
some
flags
to
indicate
if
you
have
audio
video
and
enough
set.
A
A
So
yeah
I
said
earlier:
okay,
there
was
change
in
number
one.
Now
we
have
do
pass,
which
is
a
bit
easier
to
use,
so
we
will
see
when
gets
a
file.
It
will
try
to
call
your
open
method
in
your
dem
excel
and
say:
okay,
I
have
some
data.
Tell
me
if
you
can
pass
that.
So
the
first
thing
is
you:
do
a
stream
pick
you
get.
A
Okay,
I
need
9
bytes
from
the
beginning
of
the
data,
and
I
will
tell
you
if
it's
something
I
can
pass
and
then
I
can
I
could
I
call
on
that
slice.
The
header
function
that
we
just
designed
here
and
if
it
passed
correctly,
it
returns
a
header
and
we
can
say
to
the
file.
Okay,
now
I
know
and
I
can
be.
I
can
pass
that
stuff
and
we
do
a
stream
seek
to
go
to
the
offset.
We.
B
A
So
when
you
reach
that
offset
most
of
the
video
formats,
they
have
multiple
streams
in
multiple
blocks,
like
one
block
of
audio
one
block
of
video
and
block
of
subtitles
data
that
will
be
interspersed
depending
on
how
the
encoder
did
the
stuff
like
there's
something
for
mp4
files,
where,
if
you
took
a
look
at
the
the
way,
people
were
writing
them
at
the
beginning.
They
put
just
at
the
end
of
the
file,
the
header
you
need
to
see.
A
So
you
have
to
go
to
the
end
of
the
stream
to
do
anything,
and
now
they
saw
that
you
can
mess
with
the
spec
and
put
that
header
just
at
the
beginning
of
the
file,
and
it
will
not
work
on
anybody
and
so
lots
of
various
stuff
in
video
format,
like
everybody,
has
good
ideas
about
how
video
format
should
be
and
they're
all
wrong.
Basically
like
yeah
I
can't
criticize
anything
but
like
if
I
design,
my
own
I,
do
some
something
shitty
as
well,
so
yeah,
something
interesting
there.
A
And
I
put
it
in
the
box
and
I'll
be
given
back
that
structure
when,
when
I'm
called
afterwards,
because
I
cannot
want
to
store
some
data
for
my
D
mixer,
and
this
is
the
way
I
can
interact
with
VDC.
So
when
I
get
to
the
first
block
ID
code,
a
tag,
let's
say:
okay,
so
do
is
video
or
script
and
I
have
the
size
of
the
data
and
a
few
things
like
a
timestamp
indicates
when
I
need
to
present
that
part
of
the
data.
A
A
A
A
A
It
is,
and
then
you
use
that
so
you
do
you
take
one
bite
with
stream
read
and
then
you
pass,
and
then
you
have
enough
data
to
know.
Okay
of
this,
this
block
of
data
size
minus
one
that
contains
audio
data,
that
I
can
put
push
to
VLC.
So
the
interesting
thing
in
there
is
rest
never
owns.
The
data
like
I
can
ask
VLC
for
some
data,
but
I
don't
manage
its
lifetime,
I'm,
not
the
one
allocating
and
not
the
one
DL
okay
team,
I'm,
just
borrowing
data
from
C
and
trying
to
not
break
stuff.
A
It's
very
important
because,
like
most
of
the
time
when
you
interact
with
C
code,
the
C
code
thinks
it
knows
better.
I
don't
agree
with
that,
but
we
have
to
play
nice.
So
don't
worry
about
the
unsafe
stuff.
It's
because
there
are
some
functions
that
take
V
a
list,
VAR
args
stuff,
and
we
had
to
miss
a
bit
with
how
function
very
clear
in
inverse.
A
So
this
is
very
simple
because,
like
in
that
posture,
I
only
read
the
letters
I
take
the
file
header
or
a
jump
to
the
next
block.
I
get
the
block
header,
which
is
like
10
bytes.
If
it's
audio
and
then
I
say:
okay,
there's
this
much
later,
you
can
use
and
I'll
be
cold
again
with
the
next
block.
So
I
never
read
much
data,
we've
known
in
this,
so
it's
it's
quite
quite
fast,
so
don't
take
no
for
it.
I
will
show
that
it
works.
Okay,
so
I.
A
I'll
be
able
to
that
yeah.
A
B
A
Spend
so
much
time
trying
to
pass
stuff,
I'm
trying
to
work
to
talk
to
see
and
everything,
and
then
it
works
in
viously
the
first
time
you
get
the
video
to
launch.
It's
such
a
good
feeling
really,
but
yeah
now
I
have
to
integrate
that
really
in
VLC,
because
it
was
just
an
applicant
that
I
built
separately
that
cough
I'd
just
in
a
village
installation.
A
So
now
the
bid
system
can
we
build
something
with
other
tools,
because
cargo
thinks
it
knows
better
how
to
build
everything
and
I
think
it's
right,
but
the
other
tools
know
better
and
you
have
to
play
nice
again.
So
how
does
it
look?
First,
you
have
to
check,
if
you
add,
there's
a
cargo
and
recei.
So
this
is
auto
calm,
stuff,
it's
pretty
nice
I
did
not
like
that.
I'll,
really
bad
bad
with
the
auto
tools,
but
it's
alright
and
then
the
idea
is
that
you
don't
build
the
dinamica
by
yourself.
A
You
build
an
object
file,
the
rust
plug-in
dot,
oh
because
there's
also
leak
tool
which
knows
better
than
you
how
to
build
a
dynamic
library
like
taco
nozzle,
to
be
library
for
Windows,
Mac
Linux
and
don't
care
it
works,
but
play
nice
with
the
build
system
play
nice
with
C
play
nice
with
the
interface
play
nice
with
the
Fi
and
it's
snowing
but
like
rust,
makes
it
kind
of
easy
to
do
so.
I'm
really
happy
with
that,
and
this
so
yeah.
A
So
from
now
your
figs
I
have
to
do
I
have
to
so.
He
ought
to
seek
in
a
fight
like
move
back
and
forth
on
every
frame.
I
have
to
put
it
back
in
the
VSC
repository
I
can
build
it
now
inside
VLC.
So
it's
quite
cool
Pradhan
Dignam
dependency
will
be
something
that's
very
interesting
because
we've
you'll
see
we
have
this
bigger
time
with
all
of
the
libraries
we
need,
and
so
for
rust,
I'd
like
to
have
that
as
well
and
then
to
complete
the
imports.
A
I
have
to
play
it
again,
a
bit
with
my
engine
and
we'll
be
able
to
replace
some
plugins.
Some
of
you
see
plugins.
If
we've
rust
and
like
you
can
do
that
with
NEC
project.
It's
easy
to
replace
a
c
project
file
by
file
but
easy
for
different
reasons:
different
definitions
of
easy,
but
it's
doable.
It's
really
doable
so
few
people
that
helped
me
Jim
kamas.
Maybe
you
talked
to
him
about
documentation.
We
can
battle
who
walks
at
Lee
baby
q
under
Lee
baby
project,
and
there
will
help
me
making
this.
So.
Thank
you.