From f8e321d155450615f1e7be41241e6ba87b687a05 Mon Sep 17 00:00:00 2001 From: Sam Edwards Date: Thu, 22 Feb 2018 04:57:19 -0700 Subject: [PATCH] bam: Start more strongly checking pointer types in complete_pointers This just starts with PandaNode, and uses DCAST_INTO_R instead of DCAST to catch bad bams. BamWriter should never produce bam output that will trigger this; I found this with a fuzzer. I'm unsure about the tradeoff between bam loading performance and robustness in the face of bad bams. It certainly makes a lot of sense in debug builds, but we might want to consider a compile flag that forces bam-related asserts always on even in release builds. --- panda/src/pgraph/pandaNode.cxx | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/panda/src/pgraph/pandaNode.cxx b/panda/src/pgraph/pandaNode.cxx index 0d64cb0828..96b94dd0c2 100644 --- a/panda/src/pgraph/pandaNode.cxx +++ b/panda/src/pgraph/pandaNode.cxx @@ -3798,9 +3798,13 @@ complete_pointers(TypedWritable **p_list, BamReader *manager) { int pi = CycleData::complete_pointers(p_list, manager); // Get the state and transform pointers. - _state = DCAST(RenderState, p_list[pi++]); - _transform = DCAST(TransformState, p_list[pi++]); - _prev_transform = _transform; + RenderState *state; + DCAST_INTO_R(state, p_list[pi++], pi); + _state = state; + + TransformState *transform; + DCAST_INTO_R(transform, p_list[pi++], pi); + _prev_transform = _transform = transform; /* * Finalize these pointers now to decrement their artificially-held reference @@ -3817,7 +3821,9 @@ complete_pointers(TypedWritable **p_list, BamReader *manager) { // Get the effects pointer. - _effects = DCAST(RenderEffects, p_list[pi++]); + RenderEffects *effects; + DCAST_INTO_R(effects, p_list[pi++], pi); + _effects = effects; /* * Finalize these pointers now to decrement their artificially-held reference