From 5b43e4bbb81c170f1e83100e88157b2f55fe0e74 Mon Sep 17 00:00:00 2001 From: Wouter van Oortmerssen Date: Fri, 19 Apr 2019 11:49:49 -0700 Subject: [PATCH] Fix heap-buffer-overflow if there is a struct within a union The validator previously did not check if a struct within a union was valid, causing a heap buffer overflow. Add a check to make sure that the struct is valid in this case. Change-Id: I87d41b12fdfc2a99406789531ba92b841c063c76 --- src/idl_gen_cpp.cpp | 3 ++- tests/union_vector/union_vector_generated.h | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/idl_gen_cpp.cpp b/src/idl_gen_cpp.cpp index a50d28acc..268c436eb 100644 --- a/src/idl_gen_cpp.cpp +++ b/src/idl_gen_cpp.cpp @@ -1213,7 +1213,8 @@ class CppGenerator : public BaseGenerator { " auto ptr = reinterpret_cast(obj);"; if (ev.union_type.base_type == BASE_TYPE_STRUCT) { if (ev.union_type.struct_def->fixed) { - code_ += " return true;"; + code_ += " return verifier.Verify<{{TYPE}}>(static_cast(obj), 0);"; } else { code_ += getptr; code_ += " return verifier.VerifyTable(ptr);"; diff --git a/tests/union_vector/union_vector_generated.h b/tests/union_vector/union_vector_generated.h index 9da819a33..757a9584f 100644 --- a/tests/union_vector/union_vector_generated.h +++ b/tests/union_vector/union_vector_generated.h @@ -547,13 +547,13 @@ inline bool VerifyCharacter(flatbuffers::Verifier &verifier, const void *obj, Ch return verifier.VerifyTable(ptr); } case Character_Rapunzel: { - return true; + return verifier.Verify(static_cast(obj), 0); } case Character_Belle: { - return true; + return verifier.Verify(static_cast(obj), 0); } case Character_BookFan: { - return true; + return verifier.Verify(static_cast(obj), 0); } case Character_Other: { auto ptr = reinterpret_cast(obj);