From 3acd0ec7d8f0dbe27e93590eea1eb17c2f81a951 Mon Sep 17 00:00:00 2001
From: Alex Zenla <alex@edera.dev>
Date: Mon, 27 Oct 2025 23:24:35 -0400
Subject: [PATCH] chore(doc): document media loader safety

---
 src/utils/media_loader.rs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/utils/media_loader.rs b/src/utils/media_loader.rs
index f3f4954..61c75d5 100644
--- a/src/utils/media_loader.rs
+++ b/src/utils/media_loader.rs
@@ -51,6 +51,11 @@ impl MediaLoaderHandle {
     /// The next call will pass a buffer of the right size, and we should copy
     /// data into that buffer, checking whether it is safe to copy based on
     /// the buffer size.
+    ///
+    /// SAFETY: `this.address` and `this.length` are set by leaking a Box<[u8]>, so we can
+    /// be sure their pointers are valid when this is called. The caller must call this function
+    /// while inside UEFI boot services to ensure pointers are valid. Copying to `buffer` is
+    /// assumed valid because the caller must ensure `buffer` is valid by function contract.
     unsafe extern "efiapi" fn load_file(
         this: *mut MediaLoaderProtocol,
         file_path: *const DevicePathProtocol,