Skip to content

fix: harden MiniReflect union handling for NONE and unknown union types#9126

Open
Adyej999 wants to merge 1 commit into
google:masterfrom
Adyej999:harden-minireflect-union-handling
Open

fix: harden MiniReflect union handling for NONE and unknown union types#9126
Adyej999 wants to merge 1 commit into
google:masterfrom
Adyej999:harden-minireflect-union-handling

Conversation

@Adyej999

@Adyej999 Adyej999 commented Jun 8, 2026

Copy link
Copy Markdown

Problem

MiniReflect resolves union value offsets before fully confirming that the union discriminator represents a concrete union member.

For NONE and unknown/future union discriminator values, MiniReflect should avoid treating the union value as a concrete object. These cases can occur when inspecting unusual, malformed, or fuzzed FlatBuffer inputs through MiniReflect APIs such as:

FlatBufferToString()
IterateFlatBuffer()

The affected code path is in:

include/flatbuffers/minireflect.h

Impact

MiniReflect is used for FlatBuffer inspection and stringification. If union traversal is not defensive for non-concrete union states, MiniReflect can attempt invalid type-reference or value-offset handling while walking the buffer.

This makes MiniReflect less robust for edge-case union states and fuzzed inputs, especially for:

NONE union entries
unknown/future union discriminator values
size-prefixed buffer variants
custom IterationVisitor callbacks

Fix

This PR hardens MiniReflect union traversal so that union value offsets are not resolved before the union discriminator is known to represent a concrete union member.

The change:

- handles NONE union entries safely;
- handles unknown/future union types safely;
- avoids resolving union value offsets too early;
- avoids invalid MiniReflect type-reference lookup for non-concrete union entries;
- avoids forwarding resolved invalid union value pointers to IterationVisitor::Unknown().

Additional coverage

This PR also adds regression coverage for:

- single union NONE cases;
- vector-of-unions NONE cases;
- size-prefixed buffer variants;
- unknown/future union type handling.

A new MiniReflect fuzzer target is also added:

tests/fuzzer/flatbuffers_minireflect_fuzzer.cc

The fuzzer exercises MiniReflect APIs such as FlatBufferToString() and IterateFlatBuffer() over normal and size-prefixed inputs, including NONE and unknown/future union states.

Verification

Tested locally with:

flattests: ALL TESTS PASSED
minireflect_fuzzer: 1000 runs completed successfully
git diff --check: no whitespace errors

@Adyej999 Adyej999 requested a review from dbaileychess as a code owner June 8, 2026 13:30
@github-actions github-actions Bot added the c++ label Jun 8, 2026
@Adyej999 Adyej999 changed the title Harden MiniReflect union handling for NONE and unknown union types fix: harden MiniReflect union handling for NONE and unknown union types Jun 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dbaileychess dbaileychess Awaiting requested review from dbaileychess dbaileychess is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

c++

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Adyej999