Closed shinmao closed 9 months ago
Hi, we found some unsound implementation might expose the misaligned pointer and led to undefined behavior: https://github.com/FyroxEngine/Fyrox/blob/0695c61fc589d63088451cd7f6b69f54b6051832/fyrox-core/src/visitor.rs#L194-L208 First of all, the unsound callee would be safe function visit. At line 207, it would cast mutable u8 pointer to the pointer of generic type in PodVecView. This safe function was declared as private; therefore, it depends on internal usage of the library. At the end, we found that, https://github.com/FyroxEngine/Fyrox/blob/0695c61fc589d63088451cd7f6b69f54b6051832/src/scene/terrain/mod.rs#L185-L188 At line 187, we knew that PodVecView.vec was init as Vec<f32> now. When view.visit() was called, the u8 pointer would be casted to f32 pointer which had a stronger alignment requirement. Please check and happy to have discussion.
visit
u8
PodVecView
PodVecView.vec
Vec<f32>
view.visit()
f32
Should be fixed now.
mrDIMAS
commented
9 months ago mrDIMAS
commented
9 months ago
The source of unsoundness
Hi, we found some unsound implementation might expose the misaligned pointer and led to undefined behavior: https://github.com/FyroxEngine/Fyrox/blob/0695c61fc589d63088451cd7f6b69f54b6051832/fyrox-core/src/visitor.rs#L194-L208 First of all, the unsound callee would be safe function
visit. At line 207, it would cast mutableu8pointer to the pointer of generic type inPodVecView. This safe function was declared as private; therefore, it depends on internal usage of the library. At the end, we found that, https://github.com/FyroxEngine/Fyrox/blob/0695c61fc589d63088451cd7f6b69f54b6051832/src/scene/terrain/mod.rs#L185-L188 At line 187, we knew thatPodVecView.vecwas init asVec<f32>now. Whenview.visit()was called, theu8pointer would be casted tof32pointer which had a stronger alignment requirement. Please check and happy to have discussion.