[Swift] Fix verifier accepting truncated scalar vectors (OOB read/write, RCE) (#9081)

Author: alimezar

swift/Sources/FlatBuffers/Verifiable.swift

@@ -56,8 +56,15 @@ extension Verifiable {
     let len: UOffset = try verifier.getValue(at: position)
     let intLen = Int(len)
     let start = Int(clamping: (position &+ MemoryLayout<Int32>.size).magnitude)
+    let byteCount = intLen.multipliedReportingOverflow(
+      by: MemoryLayout<T>.size)
+    guard !byteCount.overflow else {
+      throw FlatbuffersErrors.outOfBounds(
+        position: UInt.max,
+        end: verifier.capacity)
+    }
     try verifier.isAligned(position: start, type: type.self)
-    try verifier.rangeInBuffer(position: start, size: intLen)
+    try verifier.rangeInBuffer(position: start, size: byteCount.partialValue)
     return (start, intLen)
   }
 }

tests/swift/Tests/Flatbuffers/FlatbuffersVerifierTests.swift

@@ -411,6 +411,27 @@ final class FlatbuffersVerifierTests {
     }
   }
 
+  @Test(.bug("https://github.com/google/flatbuffers/issues/9082"))
+  func testRejectsTruncatedScalarVector() {
+    // swiftformat:disable all
+    var byteBuffer = ByteBuffer(bytes: [
+      16, 0, 0, 0,
+      6, 0, 8, 0,
+      4, 0, 0, 0,
+      0, 0, 0, 0,
+      12, 0, 0, 0,
+      8, 0, 0, 0,
+      0, 0, 0, 0,
+      2, 0, 0, 0,
+      65, 66,
+    ])
+    // swiftformat:enable all
+
+    #expect(throws: FlatbuffersErrors.self) {
+      try getCheckedRoot(byteBuffer: &byteBuffer) as Swift_Tests_Vectors
+    }
+  }
+
   @Test
   func testValidUnionBuffer() {
     let string = "Awesome \\\\t\t\nstring!"