fix(flexbuffers): guard Map::Keys() against OOB heap read before buffer start

[samrigby64]

Summary

Map::Keys() computes data_ - byte_width_ * 3 to locate the keys vector that precedes every FlexBuffers map in memory, but performs no check that the result is within the buffer allocation. A crafted FlexBuffer that places the map's data pointer within byte_width * 3 bytes of the buffer start causes the subtraction to produce a pointer before the allocation — an out-of-bounds heap read.

Root cause

// include/flatbuffers/flexbuffers.h — before this patch
TypedVector Keys() const {
  const size_t num_prefixed_fields = 3;
  auto keys_offset = data_ - byte_width_ * num_prefixed_fields;  // no bounds check
  return TypedVector(Indirect(keys_offset, byte_width_), ...);
}

Fix

Thread buf_start from GetRoot() through Reference (as an optional field defaulting to nullptr) into Map via AsMap(). Add a pre-flight check in Keys() that returns EmptyTypedVector() if the backward offset would underflow:

TypedVector Keys() const {
  const size_t num_prefixed_fields = 3;
  if (buf_start_ != nullptr &&
      data_ < buf_start_ + byte_width_ * num_prefixed_fields) {
    return TypedVector::EmptyTypedVector();
  }
  auto keys_offset = data_ - byte_width_ * num_prefixed_fields;
  ...
}

All existing constructors of Map and Reference are backward-compatible — buf_start defaults to nullptr, which disables the guard. Only the GetRoot() → Reference → AsMap() path propagates the real buffer start.