fix: critical zero-copy and format conversion bugs

[wysaid]

Summary

This PR fixes 11 critical and medium-priority bugs across zero-copy buffer handling, pixel format conversion, and API consistency. All issues were identified through comprehensive code audit and verified through automated testing.

Bugs Fixed

Critical (HIGH) — Memory Safety

1. Double CVPixelBufferUnlockBaseAddress in Apple camera (ccap_imp_apple.mm:927)

   • When conversion fails, zeroCopy flips to true but unlock already ran
   • Second unlock causes undefined behavior
   • Fix: Move unlock inside if (!zeroCopy) guard

2. Double CVPixelBufferUnlockBaseAddress in Apple file reader (ccap_file_reader_apple.mm:401)

   • Identical issue in file reader path
   • Fix: Move unlock inside if (!zeroCopy) guard

3. Use-after-free in Windows file reader (ccap_file_reader_windows.cpp:465)

   • inplaceConvertFrame return value never captured
   • Buffer freed but frame data[0] still references it
   • Fix: Capture return value to update zeroCopy flag

Dangling Pointer (MEDIUM) — Resource Management

4-6. Dangling nativeHandle after conversion

• Files: ccap_imp_apple.mm, ccap_file_reader_apple.mm, ccap_imp_windows.cpp
• nativeHandle set before zeroCopy check, never cleared on non-zero-copy path
• Can cause double-AddRef or resource leaks
• Fix: Clear nativeHandle = nullptr when conversion succeeds

Format Conversion (MEDIUM) — Edge Cases

7. Conversion to Unknown format (ccap_imp_windows.cpp:855, ccap_imp_windows_msmf.cpp:804)
   • If user doesn't set outputPixelFormat, shouldConvert attempts Unknown
   • Fails silently with no diagnostics
   • Fix: Guard with outputPixelFormat != PixelFormat::Unknown

8-9. Silent format conversion failures (ccap_convert_frame.cpp:235)

• YUV→different-YUV and RGB→YUV fail with no warnings
• Users get wrong data without knowing why
• Fix: Add diagnostic CCAP_LOG_W warnings

Documentation (LOW) — Clarity & Accuracy

• Fix typo in kPixelFormatBGRBit comment (ccap_def.h:37)
• Remove misleading @refitem #NV12 from I420 docs (ccap_def.h:78)
• Clarify zero-copy requirements in PixelFormatOutput docs (ccap_def.h:200)
• Document Apple YUV subtype behavior in zeroCopy formula

Testing & Verification

✅ All 907 functional tests pass
✅ AddressSanitizer memory checks enabled - no violations
✅ Build succeeds on macOS (Debug and Release)
✅ Code formatted with clang-format
✅ No regressions in existing test suite

Files Changed

• include/ccap_def.h (documentation fixes)
• src/ccap_convert_frame.cpp (warning logs)
• src/ccap_file_reader_apple.mm (double-unlock + nativeHandle)
• src/ccap_file_reader_windows.cpp (return value capture)
• src/ccap_imp_apple.mm (double-unlock + nativeHandle + documentation)
• src/ccap_imp_windows.cpp (nativeHandle + shouldConvert guard)
• src/ccap_imp_windows_msmf.cpp (shouldConvert guard)

Summary by CodeRabbit

• Bug Fixes

  • Preserve zero-copy frame handling and only perform buffer unlock/cleanup when conversions actually require copies.
  • Use an effective output format (falls back to the camera frame when unset) to avoid unnecessary conversions across platforms.
  • Emit one-time warnings and reject unsupported RGB↔YUV or mismatched YUV-subtype conversions.

• Documentation

  • Clarified pixel-format behaviors, conversion fast-path conditions, and YUV conversion requirements.

[coderabbitai]

Walkthrough

Refines pixel-format conversion and zero-copy decisions across platforms: normalize unspecified output formats to the camera/frame format, add logged early-fails for unsupported RGB→YUV and YUV-subtype conversions, and conditionally unlock/clear native buffers only when conversion actually performed.

Changes

Cohort / File(s)	Summary
Documentation and Constants include/ccap_def.h	Fixes kPixelFormatBGRBit doc, removes an obsolete NV12 cross-ref, and expands PixelFormatOutput docs to clarify RGB→YUV impossibility, libyuv-dependent YUV-subtype behavior, Unknown-output fallback to native camera format, and refined same-format fast-path semantics.
Conversion Logic src/ccap_convert_frame.cpp, src/ccap_utils.h	Include ccap_utils.h for logging; when input/output are both YUV with differing subtypes or when input is RGB and output is YUV, emit a one-time warning and return false (explicit failure paths added).
Apple file reader & capture src/ccap_file_reader_apple.mm, src/ccap_imp_apple.mm	Compute effectiveOutputFormat (fallback to frame pixel format when output is Unknown); use it for YUV detection and conversion decision; only unlock/clear native pixel buffer when conversion did not end in zero-copy.
Windows file reader & providers src/ccap_file_reader_windows.cpp, src/ccap_imp_windows.cpp, src/ccap_imp_windows.h, src/ccap_imp_windows_msmf.cpp	Introduce effectiveOutputFormat fallback logic, use it for is‑YUV/shouldConvert checks and pass to inplaceConvertFrame; compute zeroCopy from the actual conversion result; initialize/restore nativeHandle only in the zero-copy fallback; minor QueryInterface spacing normalization.
Linux provider src/ccap_imp_linux.cpp, src/ccap_imp_linux.h	Add effectiveOutputFormat fallback for Unknown output and use it for YUV/convert decisions; minor formatting change to in-class member init spacing.

Sequence Diagram(s)

sequenceDiagram
    participant Camera as Camera (native)
    participant Provider as Provider (platform reader)
    participant Converter as inplaceConvertFrame
    participant Frame as Frame (buffer)

    rect rgba(200,200,255,0.5)
    Camera->>Provider: deliver raw frame (pixelFormat)
    end

    Provider->>Provider: compute effectiveOutputFormat = outputProp ?: frame.pixelFormat
    Provider->>Converter: call inplaceConvertFrame(frame, effectiveOutputFormat)
    alt Converter performs zero-copy (no conversion needed)
        Converter-->>Provider: returns true (zero-copy)
        Provider->>Frame: keep nativeHandle, do not unlock
    else Converter performs conversion
        Converter-->>Provider: returns false (conversion done)
        Provider->>Frame: unlock/release native buffer, clear nativeHandle
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix: enable YUY2/UYVY camera capture on Windows (DirectShow) #47: Modifies ProviderDirectShow::SampleCB and packed YUV handling—overlaps with zero-copy/nativeHandle and effectiveFormat changes.
• Support linux via v4l2, and add some build tests. #3: Edits pixel-format handling and provider conversion logic across platforms, similar header/logic areas.
• Add support for NEON instruction acceleration, optimize the iOS demo, and enable frame rate and resolution switching settings. #4: Header-level edits to include/ccap_def.h, touches related enum/documentation territory.

Suggested reviewers

• Lozg2
• yixy-only

Poem

🐰 Hopping through frames with careful art,
I pick the format, play my part.
If conversion’s needed, I blink and warn,
Else keep the buffer till new dawn.
A tiny hop—zero-copy, carry on!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: critical zero-copy and format conversion bugs' directly and accurately describes the main changes in the pull request, which address multiple critical bugs in zero-copy buffer handling and pixel format conversion across multiple platform-specific implementations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/zero-copy-and-format-conversion-bugs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR addresses multiple correctness and safety issues around zero-copy buffer lifetime management, pixel-format conversion edge cases, and API/documentation consistency across Apple and Windows providers.

Changes:

• Fixes zero-copy lifetime bugs (double-unlock, dangling nativeHandle, and a Windows file-reader zero-copy flag bug).
• Hardens pixel-format conversion decisions (avoid attempting conversion when PixelFormatOutput is Unknown) and adds diagnostics for unsupported conversions.
• Updates public documentation/comments for pixel format constants and output-format behavior.

Reviewed changes

Copilot reviewed 7 out of 9 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
src/ccap_imp_windows_msmf.cpp	Guards format conversion decision when output format is Unknown.
src/ccap_imp_windows.h	COM QueryInterface signature formatting cleanup.
src/ccap_imp_windows.cpp	Fixes nativeHandle handling and guards conversion decision when output format is Unknown; formatting cleanup for QueryInterface.
src/ccap_imp_linux.h	Minor braced-initializer formatting changes for V4L2 structs.
src/ccap_imp_apple.mm	Fixes double-unlock and clears nativeHandle on non-zero-copy conversion success; adds clarifying comment about YUV subtype behavior.
src/ccap_file_reader_windows.cpp	Captures conversion return value to correctly update zeroCopy.
src/ccap_file_reader_apple.mm	Fixes double-unlock and clears nativeHandle on non-zero-copy conversion success.
src/ccap_convert_frame.cpp	Adds warning logs for unsupported conversion cases; adds include for logging utilities.
include/ccap_def.h	Documentation fixes/clarifications for pixel-format bits and PixelFormatOutput behavior.

Comments suppressed due to low confidence (1)

src/ccap_imp_windows_msmf.cpp:815

• Same issue as the DirectShow path: outputPixelFormat == PixelFormat::Unknown disables shouldConvert, but if shouldFlip is true the code still calls inplaceConvertFrame(..., PixelFormat::Unknown, ...), which can yield pixelFormat == Unknown / unintended conversions. Treat Unknown as “no conversion” by computing an effectiveOutputFormat (fallback to newFrame->pixelFormat) and using it for isOutputYUV, shouldConvert, and the conversion call.

        bool shouldFlip = !isOutputYUV && targetOrientation != m_inputOrientation;
        bool shouldConvert = m_frameProp.outputPixelFormat != PixelFormat::Unknown &&
            newFrame->pixelFormat != m_frameProp.outputPixelFormat;
        bool zeroCopy = !shouldConvert && !shouldFlip;

        if (!zeroCopy) {
            if (!newFrame->allocator) {
                newFrame->allocator = m_allocatorFactory ? m_allocatorFactory() : std::make_shared<DefaultAllocator>();
            }

            zeroCopy = !inplaceConvertFrame(newFrame.get(), m_frameProp.outputPixelFormat, shouldFlip);
            newFrame->sizeInBytes = newFrame->stride[0] * newFrame->height +
                (newFrame->stride[1] + newFrame->stride[2]) * newFrame->height / 2;

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

src/ccap_file_reader_apple.mm (1)

384-404: ⚠️ Potential issue | 🟠 Major

Unset PixelFormatOutput still forces a bogus conversion here.

setupAssetReader() already chooses BGRA/NV12 when prop.outputPixelFormat is PixelFormat::Unknown, but shouldConvert still compares against Unknown. That sends the frame through inplaceConvertFrame(..., PixelFormat::Unknown, ...), tags the copied buffer as Unknown, and disables the zero-copy fast path for the default configuration. Derive an effective target format before computing shouldConvert and calling inplaceConvertFrame().

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/ccap_file_reader_apple.mm` around lines 384 - 404, The code currently
uses prop.outputPixelFormat directly even when it's PixelFormat::Unknown,
causing unnecessary conversion and disabling zero-copy; compute an effective
output pixel format before checking shouldConvert and before calling
inplaceConvertFrame: derive effectiveOutput = (prop.outputPixelFormat ==
PixelFormat::Unknown) ? (isOutputYUV ? PixelFormat::NV12 : PixelFormat::BGRA) :
prop.outputPixelFormat (matching setupAssetReader logic), then use
effectiveOutput for shouldConvert and pass it to
inplaceConvertFrame(newFrame.get(), effectiveOutput, shouldFlip), and ensure
newFrame->pixelFormat/nativeHandle are set consistently based on that effective
output.

src/ccap_file_reader_windows.cpp (1)

449-466: ⚠️ Potential issue | 🟠 Major

PixelFormatOutput == Unknown still breaks the default file-reader path.

When callers leave outputPixelFormat unset, configureOutput() requests RGB32, while ProviderDirectShow::frameOrientation() still defaults to BottomToTop. That makes Line 465 call inplaceConvertFrame(newFrame.get(), PixelFormat::Unknown, true) on default RGB frames, so the copied buffer comes back tagged Unknown instead of BGRA32. Use the actual reader output format whenever prop.outputPixelFormat is unset.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/ccap_file_reader_windows.cpp` around lines 449 - 466, The code uses
prop.outputPixelFormat even when it is PixelFormat::Unknown, causing wrong
conversion/flip decisions; change the logic to compute an effective output
format (e.g., effectiveOutput = prop.outputPixelFormat == PixelFormat::Unknown ?
newFrame->pixelFormat : prop.outputPixelFormat) and use that effectiveOutput
when computing isOutputYUV, targetOrientation, shouldConvert and when calling
inplaceConvertFrame(newFrame.get(), effectiveOutput, ...); this ensures the
reader's actual output format (newFrame->pixelFormat) is used whenever
prop.outputPixelFormat is unset.

src/ccap_imp_windows.cpp (1)

845-857: ⚠️ Potential issue | 🟠 Major

Restore orientation from the actual retained format after fallback.

newFrame->orientation is fixed from m_frameProp.outputPixelFormat before we know whether conversion will happen. On DirectShow that is observable: outputPixelFormat == Unknown on a YUV camera now returns a zero-copy YUV frame marked BottomToTop, and RGB→YUV failures return the original RGB sample with a TopToBottom orientation. Use an effective target format for the conversion attempt, and if zeroCopy survives, reset orientation from the retained input format instead of the requested one.

Also applies to: 949-953

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/ccap_imp_windows.cpp` around lines 845 - 857, newFrame->orientation is
being set from the requested output format before we know if conversion actually
occurs; compute an effective target format (e.g. effectiveOutput =
(m_frameProp.outputPixelFormat == PixelFormat::Unknown ?
m_frameProp.cameraPixelFormat : m_frameProp.outputPixelFormat) or otherwise
determine the retained format after a failed conversion) before setting
newFrame->orientation, then evaluate shouldConvert/zeroCopy against that
effectiveOutput; if zeroCopy remains true, reset newFrame->orientation from the
retained input orientation (m_frameOrientation or derived from
m_frameProp.cameraPixelFormat) instead of the requested format. Apply the same
change to the equivalent block around the other occurrence (the block referenced
at 949-953) so orientation is restored from the actual retained format when
conversion/fallback logic results in zero-copy.

src/ccap_imp_windows_msmf.cpp (1)

750-752: ⚠️ Potential issue | 🟠 Major

Avoid calling inplaceConvertFrame() with PixelFormat::Unknown.

The new guard only fixes shouldConvert. If outputPixelFormat is unset and this path is entered because of shouldFlip, Line 813 still passes PixelFormat::Unknown into inplaceConvertFrame(), which yields copied frames tagged Unknown and can hit the BGR24 swapRB assert. Compute an effective target format first (output != Unknown ? output : newFrame->pixelFormat) and use it for isOutputYUV, shouldConvert, and the conversion call.

Also applies to: 803-814

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/ccap_imp_windows_msmf.cpp` around lines 750 - 752, The code computes
isOutputYUV and shouldConvert using m_frameProp.outputPixelFormat directly, but
if outputPixelFormat is Unknown and we still call inplaceConvertFrame we end up
passing PixelFormat::Unknown into inplaceConvertFrame (causing copied frames
tagged Unknown and downstream asserts). Fix by first computing an effective
target pixel format (e.g. PixelFormat effectiveOutput =
(m_frameProp.outputPixelFormat != PixelFormat::Unknown) ?
m_frameProp.outputPixelFormat : newFrame->pixelFormat), then use effectiveOutput
for isOutputYUV, for shouldConvert checks, for determining targetOrientation,
and pass effectiveOutput (or ensure inplaceConvertFrame is called with
newFrame->pixelFormat updated to a concrete format) when calling
inplaceConvertFrame and related conversion logic (apply same change to the logic
covering the 803-814 block).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@src/ccap_file_reader_apple.mm`:
- Around line 384-404: The code currently uses prop.outputPixelFormat directly
even when it's PixelFormat::Unknown, causing unnecessary conversion and
disabling zero-copy; compute an effective output pixel format before checking
shouldConvert and before calling inplaceConvertFrame: derive effectiveOutput =
(prop.outputPixelFormat == PixelFormat::Unknown) ? (isOutputYUV ?
PixelFormat::NV12 : PixelFormat::BGRA) : prop.outputPixelFormat (matching
setupAssetReader logic), then use effectiveOutput for shouldConvert and pass it
to inplaceConvertFrame(newFrame.get(), effectiveOutput, shouldFlip), and ensure
newFrame->pixelFormat/nativeHandle are set consistently based on that effective
output.

In `@src/ccap_file_reader_windows.cpp`:
- Around line 449-466: The code uses prop.outputPixelFormat even when it is
PixelFormat::Unknown, causing wrong conversion/flip decisions; change the logic
to compute an effective output format (e.g., effectiveOutput =
prop.outputPixelFormat == PixelFormat::Unknown ? newFrame->pixelFormat :
prop.outputPixelFormat) and use that effectiveOutput when computing isOutputYUV,
targetOrientation, shouldConvert and when calling
inplaceConvertFrame(newFrame.get(), effectiveOutput, ...); this ensures the
reader's actual output format (newFrame->pixelFormat) is used whenever
prop.outputPixelFormat is unset.

In `@src/ccap_imp_windows_msmf.cpp`:
- Around line 750-752: The code computes isOutputYUV and shouldConvert using
m_frameProp.outputPixelFormat directly, but if outputPixelFormat is Unknown and
we still call inplaceConvertFrame we end up passing PixelFormat::Unknown into
inplaceConvertFrame (causing copied frames tagged Unknown and downstream
asserts). Fix by first computing an effective target pixel format (e.g.
PixelFormat effectiveOutput = (m_frameProp.outputPixelFormat !=
PixelFormat::Unknown) ? m_frameProp.outputPixelFormat : newFrame->pixelFormat),
then use effectiveOutput for isOutputYUV, for shouldConvert checks, for
determining targetOrientation, and pass effectiveOutput (or ensure
inplaceConvertFrame is called with newFrame->pixelFormat updated to a concrete
format) when calling inplaceConvertFrame and related conversion logic (apply
same change to the logic covering the 803-814 block).

In `@src/ccap_imp_windows.cpp`:
- Around line 845-857: newFrame->orientation is being set from the requested
output format before we know if conversion actually occurs; compute an effective
target format (e.g. effectiveOutput = (m_frameProp.outputPixelFormat ==
PixelFormat::Unknown ? m_frameProp.cameraPixelFormat :
m_frameProp.outputPixelFormat) or otherwise determine the retained format after
a failed conversion) before setting newFrame->orientation, then evaluate
shouldConvert/zeroCopy against that effectiveOutput; if zeroCopy remains true,
reset newFrame->orientation from the retained input orientation
(m_frameOrientation or derived from m_frameProp.cameraPixelFormat) instead of
the requested format. Apply the same change to the equivalent block around the
other occurrence (the block referenced at 949-953) so orientation is restored
from the actual retained format when conversion/fallback logic results in
zero-copy.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 085631ae-50ad-485b-bb86-f7ee4390c26c

📥 Commits

Reviewing files that changed from the base of the PR and between 28c4fa4 and 6216bc3.

📒 Files selected for processing (9)

• include/ccap_def.h
• src/ccap_convert_frame.cpp
• src/ccap_file_reader_apple.mm
• src/ccap_file_reader_windows.cpp
• src/ccap_imp_apple.mm
• src/ccap_imp_linux.h
• src/ccap_imp_windows.cpp
• src/ccap_imp_windows.h
• src/ccap_imp_windows_msmf.cpp

[wysaid]

@Auggie review

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/ccap_convert_frame.cpp`:
- Around line 233-240: Change the one-time warning flags in
inplaceConvertFrame() from unprotected static bool to std::atomic_bool and use
an atomic compare-and-exchange to set the flag and decide whether to log, e.g.,
declare static std::atomic_bool sLoggedYuv2YuvUnsupported{false} and replace the
current if-check/assignment with a compare_exchange_strong-based operation so
only the thread that successfully flips false->true emits CCAP_LOG_W; do the
same for the other static warning flag(s), and add `#include` <atomic>.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 67c2375a-b458-4842-9311-359b3f82ddc9

📥 Commits

Reviewing files that changed from the base of the PR and between 6216bc3 and 52ec4a3.

📒 Files selected for processing (8)

• include/ccap_def.h
• src/ccap_convert_frame.cpp
• src/ccap_file_reader_apple.mm
• src/ccap_file_reader_windows.cpp
• src/ccap_imp_apple.mm
• src/ccap_imp_linux.cpp
• src/ccap_imp_windows.cpp
• src/ccap_imp_windows_msmf.cpp

✅ Files skipped from review due to trivial changes (2)

• src/ccap_file_reader_apple.mm
• include/ccap_def.h

🚧 Files skipped from review as they are similar to previous changes (4)

• src/ccap_imp_windows_msmf.cpp
• src/ccap_file_reader_windows.cpp
• src/ccap_imp_apple.mm
• src/ccap_imp_windows.cpp