Fix heap-buffer-overflow if there is a struct within a union

The validator previously did not check if a struct within a union was valid, causing a heap buffer overflow. Add a check to make sure that the struct is valid in this case. Change-Id: I87d41b12fdfc2a99406789531ba92b841c063c76
2019-04-19 11:49:49 -07:00 · 2019-04-19 11:49:49 -07:00 · 5b43e4bbb8
parent ecd76e898d
commit 5b43e4bbb8
2 changed files with 5 additions and 4 deletions
--- a/src/idl_gen_cpp.cpp
+++ b/src/idl_gen_cpp.cpp
@ -1213,7 +1213,8 @@ class CppGenerator : public BaseGenerator {
            "      auto ptr = reinterpret_cast<const {{TYPE}} *>(obj);";
        if (ev.union_type.base_type == BASE_TYPE_STRUCT) {
          if (ev.union_type.struct_def->fixed) {
-            code_ += "      return true;";
+            code_ += "      return verifier.Verify<{{TYPE}}>(static_cast<const "
+                     "uint8_t *>(obj), 0);";
          } else {
            code_ += getptr;
            code_ += "      return verifier.VerifyTable(ptr);";
--- a/tests/union_vector/union_vector_generated.h
+++ b/tests/union_vector/union_vector_generated.h
@ -547,13 +547,13 @@ inline bool VerifyCharacter(flatbuffers::Verifier &verifier, const void *obj, Ch
      return verifier.VerifyTable(ptr);
    }
    case Character_Rapunzel: {
-      return true;
+      return verifier.Verify<Rapunzel>(static_cast<const uint8_t *>(obj), 0);
    }
    case Character_Belle: {
-      return true;
+      return verifier.Verify<BookReader>(static_cast<const uint8_t *>(obj), 0);
    }
    case Character_BookFan: {
-      return true;
+      return verifier.Verify<BookReader>(static_cast<const uint8_t *>(obj), 0);
    }
    case Character_Other: {
      auto ptr = reinterpret_cast<const flatbuffers::String *>(obj);