fix(flatbuffers): guard GetBufferStartFromRootPointer against OOB read before buffer start

[samrigby64]

Summary

GetBufferStartFromRootPointer walks backwards from the root pointer by repeatedly subtracting sizeof(uoffset_t) (up to 9 iterations for 32-byte-aligned buffers) to find the buffer start. It has no check that the walking pointer remains within the buffer allocation. A caller that supplies a root pointer near the beginning of the buffer — or a crafted FlatBuffer with a small or zero vtable offset — will cause the function to read memory before the heap allocation.

Root cause

// include/flatbuffers/flatbuffers.h — before this patch
for (auto possible_roots = FLATBUFFERS_MAX_ALIGNMENT / sizeof(uoffset_t) + 1;
     possible_roots; possible_roots--) {
  start -= sizeof(uoffset_t);   // no lower-bound guard
  if (ReadScalar<uoffset_t>(start) + start == ...)
    return start;
}

Fix

Add an optional buf_start parameter (defaults to nullptr — all existing callers are unchanged). When provided, the backward search stops before walking past buf_start, breaking out of the loop and falling through to the existing FLATBUFFERS_ASSERT(false) path.

// After patch
inline const uint8_t* GetBufferStartFromRootPointer(
    const void* root, const uint8_t* buf_start = nullptr) {
  ...
  for (...) {
    if (buf_start != nullptr && start < buf_start + sizeof(uoffset_t)) break;
    start -= sizeof(uoffset_t);
    ...
  }
}

The guard fires before the subtraction, so it is safe against pointer underflow. Backward compatibility is preserved — callers that omit buf_start behave exactly as before.