fix: correct operator precedence in ForAllFields reverse iteration (#8991)

* fix: correct operator precedence in ForAllFields reverse iteration The expression `size() - i + 1` evaluates as `(size() - i) + 1` due to left-to-right associativity, producing an out-of-bounds index when reverse=true. For a vector of size N, the first iteration (i=0) accesses index N+1, which is 2 past the last valid index. Changed to `size() - (i + 1)` to match the correct implementation already present in bfbs_gen.h:192. Bug: CWE-125 (Out-of-bounds Read), CWE-783 (Operator Precedence Error) * test: add ForAllFieldsReverseTest for reverse iteration correctness Verify that ForAllFields with reverse=true iterates fields in descending ID order. Tests both Stat (3 fields) and Monster (many fields with non-sequential definition order) tables. --------- Co-authored-by: Tulgaa <tulgaa.kek@gmail.com>
2026-06-03 04:21:13 +00:00 · 2026-04-02 18:14:27 +08:00
parent 8a12183c3b
commit 05cc7a2eff
4 changed files with 90 additions and 1 deletions
--- a/src/reflection.cpp
+++ b/src/reflection.cpp
@@ -389,7 +389,7 @@ void ForAllFields(const reflection::Object* object, bool reverse,

  for (size_t i = 0; i < field_to_id_map.size(); ++i) {
    func(object->fields()->Get(
-        field_to_id_map[reverse ? field_to_id_map.size() - i + 1 : i]));
+        field_to_id_map[reverse ? field_to_id_map.size() - (i + 1) : i]));
  }
 }