decode: use exact decoded length rather than estimation

[mina86]

Fixes: https://github.com/marshallpierce/rust-base64/issues/210 Fixes: https://github.com/marshallpierce/rust-base64/issues/212

[mina86]

By the way, I’m beginning to think that the interface for the internal_decode should be completely changed. Specifically to something like:

fn internal_decode(
    dst: *mut [MaybeUninit<u8>],
    src: *const [u8],
) -> Result<(), DecodeError>;

With the following contract:

• (*dst).len() / 3 == (*src).len() / 4,
• (*dst).len() % 3 == (*src).len() % 4 == 0,
• source has no padding bytes and
• dst and src either do not overlap, or dst as *mut () == src as *const ().

This would help address the following issues:

• https://github.com/marshallpierce/rust-base64/issues/190,
• https://github.com/marshallpierce/rust-base64/issues/210,
• https://github.com/marshallpierce/rust-base64/issues/212,
• https://github.com/marshallpierce/rust-base64/issues/226 and make those optimisations sound:
• https://github.com/marshallpierce/rust-base64/pull/179 and
• https://github.com/marshallpierce/rust-base64/pull/180.

[tgross35]

@mina86 any chance you are able to push this over the line? The author suggested in https://github.com/marshallpierce/rust-base64/issues/210#issuecomment-1799038820 that maybe this could be split up into smaller PRs.

By the way, I’m beginning to think that the interface for the internal_decode should be completely changed. Specifically to something like:

fn internal_decode(
    dst: *mut [MaybeUninit<u8>],
    src: *const [u8],
) -> Result<(), DecodeError>;

FYI this would need to be an unsafe function, and MaybeUninit doesn't add anything to integers (since all possible byte representations are valid integers)

[marshallpierce]

I'm quite happy to rearrange APIs to have nice new features, but unsafe is going to be a pretty hard sell. It adds quite a burden on users who are in environments that require auditing all unsafe.