reflection: bounds-check the union type-vector field in VerifyVector

evilgensec · evilgensec · commit 6cdfc975b029 · 2026-06-04T15:38:48.000+05:45
VerifyVector reads the union type-vector slot at vec_field.offset() - sizeof(voffset_t) via GetPointer with no VerifyField, while the value-vector slot is verified. flatbuffers::Verify can therefore dereference an out-of-range vtable offset on a malformed buffer. Add the same VerifyField the value path uses before reading the type vector.
diff --git a/src/reflection.cpp b/src/reflection.cpp
@@ -153,6 +153,9 @@ static bool VerifyVector(flatbuffers::Verifier& v,
           table, vec_field);
       if (!v.VerifyVector(vec)) return false;
       if (!vec) return true;
+      if (!table.VerifyField<uoffset_t>(
+              v, vec_field.offset() - sizeof(voffset_t), sizeof(uoffset_t)))
+        return false;
       auto type_vec = table.GetPointer<Vector<uint8_t>*>(vec_field.offset() -
                                                          sizeof(voffset_t));
       if (!v.VerifyVector(type_vec)) return false;
