Sorry, didn't see your reply earlier. Let me address each of your points. First, your question about shifting work to a universal validator. The point isn't to create one monolithic parser for all formats — it's to enforce a structural validation layer before any decoder is allowed to operate. Think: byte-level box/frame/atom parsing for formats like MP4, MOV, PNG — where the container format is well-defined and modular. The validator isn’t decoding media; it’s checking that structure matches declared length/type bounds, box trees are sane, and forbidden segments aren’t present. This can be OS-level, just like Apple’s existing xprotect and AMFI — but for structured media, not binaries.
Can’t decoders already do this themselves?
Theoretically yes — but in practice, media decoders are huge, legacy-tangled, performance-optimized, and frequently cross-platform. Asking each one to reliably gate input based on structural sanity is like asking libc to do bounds-checking. Sandboxes help, but they’re coarse — we’re talking about a clean, minimal contract: don’t decode unless the container structure is provably valid. It’s the same logic behind memory-safe preprocessing layers.
What about subtle decoder bugs in seemingly valid media?
True — this doesn’t solve all decoder vulnerabilities. But it dramatically cuts risk by stripping malformed, truncated, recursive, or structurally deviant files before they reach the decoder logic. You can’t prevent every logic bug in a decoder, but you can gate execution to files that pass structural integrity — just like we gate executable code through signing and entitlement checks.
Can’t decoders already do this themselves? Theoretically yes — but in practice, media decoders are huge, legacy-tangled, performance-optimized, and frequently cross-platform. Asking each one to reliably gate input based on structural sanity is like asking libc to do bounds-checking. Sandboxes help, but they’re coarse — we’re talking about a clean, minimal contract: don’t decode unless the container structure is provably valid. It’s the same logic behind memory-safe preprocessing layers.
What about subtle decoder bugs in seemingly valid media? True — this doesn’t solve all decoder vulnerabilities. But it dramatically cuts risk by stripping malformed, truncated, recursive, or structurally deviant files before they reach the decoder logic. You can’t prevent every logic bug in a decoder, but you can gate execution to files that pass structural integrity — just like we gate executable code through signing and entitlement checks.
Thanks for the thoughtful reply!
Jamweba