[Swift] Fix verifier accepting truncated scalar vectors (OOB read/write, RCE) (#9081 )

2026-06-02 04:04:19 +00:00 · 2026-05-08 10:16:10 +02:00
3 changed files with 33 additions and 5 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -51,7 +51,7 @@ jobs:
      if: startsWith(github.ref, 'refs/tags/')
      run: zip Linux.flatc.binary.${{ matrix.cxx }}.zip flatc
    - name: Release zip file
-      uses: softprops/action-gh-release@v3
+      uses: softprops/action-gh-release@v2
      if: startsWith(github.ref, 'refs/tags/')
      with:
        files: Linux.flatc.binary.${{ matrix.cxx }}.zip
@@ -179,7 +179,7 @@ jobs:
      if: startsWith(github.ref, 'refs/tags/')
      run: move Release/flatc.exe . && Compress-Archive flatc.exe Windows.flatc.binary.zip
    - name: Release binary
-      uses: softprops/action-gh-release@v3
+      uses: softprops/action-gh-release@v2
      if: startsWith(github.ref, 'refs/tags/')
      with:
        files: Windows.flatc.binary.zip
@@ -255,7 +255,7 @@ jobs:
      if: startsWith(github.ref, 'refs/tags/')
      run: mv Release/flatc . && zip MacIntel.flatc.binary.zip flatc
    - name: Release binary
-      uses: softprops/action-gh-release@v3
+      uses: softprops/action-gh-release@v2
      if: startsWith(github.ref, 'refs/tags/')
      with:
        files: MacIntel.flatc.binary.zip
@@ -298,7 +298,7 @@ jobs:
      if: startsWith(github.ref, 'refs/tags/')
      run: mv Release/flatc . && zip Mac.flatc.binary.zip flatc
    - name: Release binary
-      uses: softprops/action-gh-release@v3
+      uses: softprops/action-gh-release@v2
      if: startsWith(github.ref, 'refs/tags/')
      with:
        files: Mac.flatc.binary.zip
--- a/swift/Sources/FlatBuffers/Verifiable.swift
+++ b/swift/Sources/FlatBuffers/Verifiable.swift
@@ -56,8 +56,15 @@ extension Verifiable {
    let len: UOffset = try verifier.getValue(at: position)
    let intLen = Int(len)
    let start = Int(clamping: (position &+ MemoryLayout<Int32>.size).magnitude)
+    let byteCount = intLen.multipliedReportingOverflow(
+      by: MemoryLayout<T>.size)
+    guard !byteCount.overflow else {
+      throw FlatbuffersErrors.outOfBounds(
+        position: UInt.max,
+        end: verifier.capacity)
+    }
    try verifier.isAligned(position: start, type: type.self)
-    try verifier.rangeInBuffer(position: start, size: intLen)
+    try verifier.rangeInBuffer(position: start, size: byteCount.partialValue)
    return (start, intLen)
  }
 }
--- a/tests/swift/Tests/Flatbuffers/FlatbuffersVerifierTests.swift
+++ b/tests/swift/Tests/Flatbuffers/FlatbuffersVerifierTests.swift
@@ -411,6 +411,27 @@ final class FlatbuffersVerifierTests {
    }
  }

+  @Test(.bug("https://github.com/google/flatbuffers/issues/9082"))
+  func testRejectsTruncatedScalarVector() {
+    // swiftformat:disable all
+    var byteBuffer = ByteBuffer(bytes: [
+      16, 0, 0, 0,
+      6, 0, 8, 0,
+      4, 0, 0, 0,
+      0, 0, 0, 0,
+      12, 0, 0, 0,
+      8, 0, 0, 0,
+      0, 0, 0, 0,
+      2, 0, 0, 0,
+      65, 66,
+    ])
+    // swiftformat:enable all
+
+    #expect(throws: FlatbuffersErrors.self) {
+      try getCheckedRoot(byteBuffer: &byteBuffer) as Swift_Tests_Vectors
+    }
+  }
+
  @Test
  func testValidUnionBuffer() {
    let string = "Awesome \\\\t\t\nstring!"