Giters

FyroxEngine / Fyrox

3D and 2D game engine written in Rust

Home Page:https://fyrox.rs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Misaligned pointer exposure in `visit` of `PodVecView`

shinmao opened this issue · comments

commented

The source of unsoundness

Hi, we found some unsound implementation might expose the misaligned pointer and led to undefined behavior:

Fyrox/fyrox-core/src/visitor.rs

Lines 194 to 208 in 0695c61

fn visit(&mut self, name: &str, visitor: &mut Visitor) -> VisitResult {
if visitor.reading {
if let Some(field) = visitor.find_field(name) {
match &field.kind {
FieldKind::PodArray {
type_id,
element_size,
bytes,
} => {
if *type_id == self.type_id {
let mut owned_bytes = bytes.clone();
let len = owned_bytes.len() / (*element_size as usize);
*self.vec = unsafe {
Vec::from_raw_parts(owned_bytes.as_mut_ptr() as *mut T, len, len)
};

First of all, the unsound callee would be safe function visit. At line 207, it would cast mutable u8 pointer to the pointer of generic type in PodVecView. This safe function was declared as private; therefore, it depends on internal usage of the library. At the end, we found that,

Fyrox/src/scene/terrain/mod.rs

Lines 185 to 188 in 0695c61

0 => {
let mut height_map = Vec::<f32>::new();
let mut view = PodVecView::from_pod_vec(&mut height_map);
view.visit("Heightmap", &mut region)?;

At line 187, we knew that PodVecView.vec was init as Vec<f32> now. When view.visit() was called, the u8 pointer would be casted to f32 pointer which had a stronger alignment requirement. Please check and happy to have discussion.

commented

Should be fixed now.