Are there any bugs in the Bridge.sol?

[xuebingqing]

Description

When we recently used the fuzz testing tool, we scanned the contract Bridge.sol. We found some issues and wanted to confirm with you.

    function depositAndBridgeOut(
        address originalTokenAddress,
        address pTokenAddress,
        uint64 toChainId,
        bytes calldata toAddress,
        uint256 amount,
        bytes calldata callData
    ) external override nonReentrant whenNotPaused returns(bool) {
        require(amount != 0, "amount cannot be zero!");

        // no bridge fee for deposit

        // transfer_to_this + deposit + burn = transfer_to_ptoken
        require(IPToken(pTokenAddress).tokenUnderlying() == originalTokenAddress, "invalid originalToken / pToken");
        require(IPToken(pTokenAddress).checkIfDepositWithdrawEnabled(), "ptoken deposit/withdraw not enabled");

        uint256 balanceBefore = IERC20(originalTokenAddress).balanceOf(pTokenAddress);
        IERC20(originalTokenAddress).safeTransferFrom(_msgSender(), pTokenAddress, amount);
        amount = IERC20(originalTokenAddress).balanceOf(pTokenAddress).sub(balanceBefore);

        // precision conversion
        uint8 ptokenDecimals = ERC20(pTokenAddress).decimals();
        uint8 underlyingTokenDecimals = ERC20(originalTokenAddress).decimals();
        amount = amount.mul(10**ptokenDecimals).div(10**underlyingTokenDecimals);
        require(amount != 0, "bridge amount cannot be zero!");

        return _bridgeOut(pTokenAddress, toChainId, toAddress, amount, callData);
    }

As you can see, originalTokenAddress is used as input and is controllable by the user. If there is malicious input later and implement the IERC20 interface standard, it calls safeTransferFrom without checking the originalTokenAddress parameter. Are there any problems?