Fix heap-buffer-overflow in minireflect.h during union vector parsing

[mabrukhany-beep]

Summary
Fixes a heap-buffer-overflow in IterateValue() when processing union vectors
where the data vector size is desynchronized from the type tag vector size.

Bug Description
In minireflect.h, the ST_UNION branch reads the union type tag using:

union_type = type_vec->Get(static_cast<uoffset_t>(vector_index));
The vector_index comes from a loop bounded by vec->size() of the data
vector, but type_vec points to the type tag vector — a separate vector
that may have a smaller size. When the buffer is malformed (e.g., data vector
size inflated), this causes an out-of-bounds read.
Fix
Added bounds check before type_vec->Get():
cpp
if (type_vec && static_cast<size_t>(vector_index) < type_vec->size()) {
union_type = type_vec->Get(static_cast<uoffset_t>(vector_index));
} else {
visitor->Unknown(val);
break;
}
Testing
Added minireflect_fuzzer libFuzzer harness
Added seed_minireflect/ directory for corpus
The fuzzer exercises FlatBufferToString() with the Movie schema which
contains union vectors
Related
This addresses a security issue where FlatBufferToString() can crash on
malformed buffers due to missing bounds checking in the mini-reflection
union vector path.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[mabrukhany-beep]

.

[mabrukhany-beep]

@google-cla I signed it!

[mabrukhany-beep]

.

[mabrukhany-beep]

Hi @dbaileychess,

I’m following up on this PR which addresses a Heap OOB Read vulnerability I reported via the Google VRP (Issue 519835122).

While the general project stance is to trust buffers after verification, this patch is critical for several reasons:

1 Inconsistent Vector State:** The root cause is a logic flaw in minireflect.h where the loop bound is derived from the data vector, while the indexed access targets the parallel type-tag vector. This creates a "Desynchronized Parallel Vector Traversal" that the current Verifier doesn't explicitly block, as it's a structural parsing assumption within minireflect itself.
2 Release Build Exposure:** In production builds, FLATBUFFERS_ASSERT is stripped (NDEBUG), leaving ReadScalar completely unguarded against these desynchronized offsets.
3 Documentation Alignment:** As noted in my report, FlatBufferToString is often used in logging and debugging contexts where a full Verify pass might be skipped or assumed, as seen in the project's own tests/test.cpp and reflection_test.cpp.

I’ve provided a libFuzzer harness in this PR that consistently reproduces the crash on the original code and confirms the fix. Given that this is now being tracked under the Google Patch Rewards program, I’d appreciate a deep dive into the bounds-check logic and the Unknown() fallback to ensure it meets the repository's security standards for a merge.

Thanks!