Should ChannelCount be a sealed trait or marked unsafe?

[ammaraskar]

Hi there, we (Rust group @sslab-gatech) are scanning crates on crates.io for potential soundness bugs. We noticed that ChannelCount is a public and safe trait. However in these two methods:

rust-pulse-simple/src/lib.rs

Lines 142 to 147 in a2aafc1

	pub fn write(&self, data: &[C]) {
	let res = unsafe {
	let ptr = transmute(data.as_ptr());
	pa_simple_write(self.client.simple, ptr, data.len() * C::sample_size(), null_mut())
	};
	assert!(res == 0);

rust-pulse-simple/src/lib.rs

Lines 178 to 184 in a2aafc1

	pub fn read(&self, data: &mut [C]) {
	let res = unsafe {
	let ptr = transmute(data.as_mut_ptr());
	pa_simple_read(self.client.simple, ptr, data.len() * C::sample_size(), null_mut())
	};
	assert!(res >= 0);
	}

If a ChannelCount implementation overrides sample_size and returns a bigger number than expected then this could cause reading out of bounds into data. Or it could cause pulseaudio to write from past the data buffer.

Should ChannelCount or the sample_size method be marked as unsafe and this invariant documented to make sure that this critical property is observed? Alternatively, the ChannelCount trait could be sealed to prevent anyone implementing it externally.