fix: address Copilot review comments on PR #77

nightness · claude · nightness · commit 600462f196bb · 2026-04-08T09:24:33.000-05:00
- Reword MAX_TOTAL_LOST doc to explain u32 storage clamped to signed
  24-bit positive range for RFC 3550 wire format
- Add matching doc on ReceptionReport.total_lost field
- Fix marshal bounds check from (1 &lt;&lt; 25) to 0xFF_FFFF (correct 24-bit
  limit)
- Add boundary tests for 24-bit marshal limit (0xFF_FFFF ok, 0x100_0000
  rejected)

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/rtc-interceptor/src/report/receiver_stream.rs b/rtc-interceptor/src/report/receiver_stream.rs
@@ -4,7 +4,10 @@ use std::time::Instant;
 const PACKETS_PER_ENTRY: usize = 64;
 
 /// Maximum value for `total_lost` per RFC 3550 §6.4.1.
-/// The field is a signed 24-bit integer, so the positive maximum is 0x7F_FFFF.
+///
+/// The wire format is a signed 24-bit integer.  We store it as `u32` but
+/// clamp to the signed-positive maximum (`0x7F_FFFF`) so the sign bit
+/// stays clear when the value is serialised into the 24-bit RTCP field.
 const MAX_TOTAL_LOST: u32 = 0x7F_FFFF;
 
 pub(crate) struct ReceiverStream {
diff --git a/rtc-rtcp/src/receiver_report/receiver_report_test.rs b/rtc-rtcp/src/receiver_report/receiver_report_test.rs
@@ -191,7 +191,31 @@ fn test_receiver_report_roundtrip() {
             None,
         ),
         (
-            "totallost overflow",
+            "totallost at 24-bit max",
+            ReceiverReport {
+                ssrc: 1,
+                reports: vec![ReceptionReport {
+                    total_lost: 0xFF_FFFF,
+                    ..Default::default()
+                }],
+                ..Default::default()
+            },
+            None,
+        ),
+        (
+            "totallost overflow at 24-bit boundary",
+            ReceiverReport {
+                ssrc: 1,
+                reports: vec![ReceptionReport {
+                    total_lost: 0x100_0000,
+                    ..Default::default()
+                }],
+                ..Default::default()
+            },
+            Some(Error::InvalidTotalLost),
+        ),
+        (
+            "totallost overflow large",
             ReceiverReport {
                 ssrc: 1,
                 reports: vec![ReceptionReport {
diff --git a/rtc-rtcp/src/reception_report.rs b/rtc-rtcp/src/reception_report.rs
@@ -29,6 +29,12 @@ pub struct ReceptionReport {
     pub fraction_lost: u8,
     /// The total number of RTP data packets from source SSRC that have
     /// been lost since the beginning of reception.
+    ///
+    /// RFC 3550 §6.4.1 defines this as a signed 24-bit integer on the wire
+    /// (negative values can occur when duplicates arrive).  We store it as
+    /// `u32` and clamp to `0x7F_FFFF` so the sign bit stays clear during
+    /// serialisation.  A future revision may switch to `i32` to fully
+    /// represent the negative-loss (duplicate) case.
     pub total_lost: u32,
     /// The least significant 16 bits contain the highest sequence number received
     /// in an RTP data packet from source SSRC, and the most significant 16 bits extend
@@ -116,8 +122,9 @@ impl Marshal for ReceptionReport {
 
         buf.put_u8(self.fraction_lost);
 
-        // pack TotalLost into 24 bits
-        if self.total_lost >= (1 << 25) {
+        // Pack TotalLost into 24 bits (RFC 3550 §6.4.1).
+        // Values above 0xFF_FFFF cannot be represented in 24 bits.
+        if self.total_lost > 0xFF_FFFF {
             return Err(Error::InvalidTotalLost);
         }
 
