Add bounds checks for Type.index() in CopyTable and BinaryAnnotator

[ganisai8202]

Summary

Multiple sites in CopyTable (src/reflection.cpp) and BinaryAnnotator (src/binary_annotator.cpp, src/binary_annotator.h) use field->type()->index() as a direct index into schema->objects() or schema->enums() without bounds checking. Vector::Get() only has a debug-only FLATBUFFERS_ASSERT, so in release builds (-DNDEBUG) an out-of-range index causes a wild-pointer dereference (SIGSEGV).

This is reachable via flatc --annotate, which loads raw .bfbs bytes (src/flatc.cpp:1050-1052) without going through the bounds-checked Parser::Deserialize path. VerifySchemaBuffer() does not validate type.index bounds, so it accepts the malicious schema.

Fix

Add GetObjectByIndex / GetEnumByIndex safe accessor helpers (return nullptr on out-of-range index) and update each call site to check before dereference. The pattern follows the existing bounds check in BinaryAnnotator::IsValidUnionValue (binary_annotator.h:416).

Scope

Sites fixed in this PR:

• src/reflection.cpp: CopyTable (3 sites)
• src/binary_annotator.h: IsInlineField, GetElementSize (2 sites)
• src/binary_annotator.cpp: BuildTable, BuildStruct, BuildVector, BuildUnion (6 sites)

Validation

• Both patched files compile cleanly with -std=c++17 -O1 -DNDEBUG.
• A crafted .bfbs with type.index = 0x7FFFFFFF (objects size = 1) no longer causes SIGSEGV through flatc --annotate after this patch.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.