fix: correct operator precedence in ForAllFields reverse iteration (#8991)

* fix: correct operator precedence in ForAllFields reverse iteration The expression `size() - i + 1` evaluates as `(size() - i) + 1` due to left-to-right associativity, producing an out-of-bounds index when reverse=true. For a vector of size N, the first iteration (i=0) accesses index N+1, which is 2 past the last valid index. Changed to `size() - (i + 1)` to match the correct implementation already present in bfbs_gen.h:192. Bug: CWE-125 (Out-of-bounds Read), CWE-783 (Operator Precedence Error) * test: add ForAllFieldsReverseTest for reverse iteration correctness Verify that ForAllFields with reverse=true iterates fields in descending ID order. Tests both Stat (3 fields) and Monster (many fields with non-sequential definition order) tables. --------- Co-authored-by: Tulgaa <tulgaa.kek@gmail.com>
2026-06-02 04:04:19 +00:00 · 2026-04-02 18:14:27 +08:00
parent 8a12183c3b
commit 05cc7a2eff
4 changed files with 90 additions and 1 deletions
--- a/tests/test.cpp
+++ b/tests/test.cpp
@@ -1774,6 +1774,7 @@ int FlatBufferTests(const std::string& tests_data_path) {
  FixedLengthArrayJsonTest(tests_data_path, false);
  FixedLengthArrayJsonTest(tests_data_path, true);
  ReflectionTest(tests_data_path, flatbuf.data(), flatbuf.size());
+  ForAllFieldsReverseTest(tests_data_path);
  ParseProtoTest(tests_data_path);
  EvolutionTest(tests_data_path);
  UnionDeprecationTest(tests_data_path);