CONCEPT Cited by 1 source

Format conformance check

A format conformance check is an app-layer validation that untrusted input adheres to its declared format specification — before the app forwards, processes, or hands off the bytes to a downstream library.

The canonical client-side instance (Meta's Kaleidoscope): before an MP4 reaches an OS-provided media parser that may contain a unpatched bug, WhatsApp's wamedia verifies that the file adheres to the MP4 standard — "we realized that a cross-platform C++ library already developed by WhatsApp to send and consistently format MP4 files (called wamedia) could be modified to detect files which do not adhere to the MP4 standard and might trigger bugs in a vulnerable OS library on the receiver side."

What the check proves

• The file is parseable as its declared type — no ambiguous structure, no truncated fields.
• The structural invariants hold — box nesting (MP4), magic numbers, required chunks, offset bounds.
• The semantic plausibility is met — reasonable frame count, reasonable duration, dimensions consistent with codec profile.
• No known-dangerous sub-structures — embedded scripting (PDF), overflow-prone atoms (MP4), parser-trap constructs known to exploit specific downstream libraries.

What it doesn't prove

• That the content is safe — a perfectly-conformant MP4 can still encode malicious content.
• That every downstream parser will accept it — different parsers have different (non-spec-mandated) tolerances; conformance to the spec does not guarantee conformance to any given parser's interpretation. This is precisely where concepts/parser-differential attacks live.
• That unknown bugs are blocked — the check defends against known trap patterns and spec-divergent inputs; truly novel exploits in spec-conformant inputs remain.

Where it fits in a stack

The format-conformance check is the pre-handoff gate:

1. App receives bytes from the network.
2. Format-conformance check (app-layer, memory-safe, auditable).
3. If conformant: hand off to downstream media library / preview / renderer.
4. If non-conformant: refuse, log, surface to UX as unsupported/dangerous.

Paired with file-type spoofing detection (type-claimed != type-actual), risk-indicator checks (PDF embedded files, JS), and dangerous-type flagging, the full ensemble is what Meta calls Kaleidoscope.

Canonical defense role

This is the primary architectural defense when:

• The downstream parser is an ungovernable OS library the app can't patch.
• The input arrives automatically on download (i.e. not gated by user action) — which makes the check itself a prime security target (memory-safety is load-bearing for the checker).
• The user base is mobile / cross-platform with significant concepts/patch-lag on the OS layer.

Seen in

• sources/2026-01-28-meta-rust-at-scale-an-added-layer-of-security-for-whatsapp — canonical wiki source. wamedia's MP4-conformance check after the 2015 Stagefright vulnerability; Kaleidoscope's four-family ensemble; Rust rewrite of wamedia so the checker itself is memory-safe.

Related

• concepts/parser-differential — the attack class that motivates format-conformance checks against ungovernable downstream parsers.
• concepts/file-type-spoofing — sibling check family inside Kaleidoscope.
• concepts/os-library-vulnerability-ungovernable — the downstream-parser regime format-conformance checks defend.
• concepts/defense-in-depth
• patterns/format-aware-malware-check-before-os-handoff
• systems/whatsapp-kaleidoscope