From 74a25536be1d3242f52d98007a6a03934b675cbd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Harrtell?=
 <bjornharrtell@users.noreply.github.com>
Date: Sat, 14 May 2022 00:15:00 +0200
Subject: [PATCH] Add size check to fix out of bounds read risk (#7304)

---
 include/flatbuffers/verifier.h | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/include/flatbuffers/verifier.h b/include/flatbuffers/verifier.h
index c8a88eefe..d100bf48c 100644
--- a/include/flatbuffers/verifier.h
+++ b/include/flatbuffers/verifier.h
@@ -164,10 +164,11 @@ class Verifier FLATBUFFERS_FINAL_CLASS {
     // gives the result we want.
     auto vtableo = tableo - static_cast<size_t>(ReadScalar<soffset_t>(table));
     // Check the vtable size field, then check vtable fits in its entirety.
-    return VerifyComplexity() && Verify<voffset_t>(vtableo) &&
+    if (!( VerifyComplexity() && Verify<voffset_t>(vtableo) &&
            VerifyAlignment(ReadScalar<voffset_t>(buf_ + vtableo),
-                           sizeof(voffset_t)) &&
-           Verify(vtableo, ReadScalar<voffset_t>(buf_ + vtableo));
+                           sizeof(voffset_t)))) return false;
+    auto vsize = ReadScalar<voffset_t>(buf_ + vtableo);
+    return Check((vsize & 1) == 0) && Verify(vtableo, vsize);
   }
 
   template<typename T>