Merge pull request #5303 from lambdageek/cattr-bcheck

[custom_attrs] Add bounds checking to custom attribute parsing

diff --combined mono/metadata/metadata.c
index aea1343df99c5dac29b3945222b080ea19b6b481,75e9b4aa66ba8abe41b28ffa40af28fdaf88aec1..b41dbf4e8186eff36f490f2a4d4844b032c73295
--- 1/mono/metadata/metadata.c
--- 2/mono/metadata/metadata.c
+++ b/mono/metadata/metadata.c
@@@ -1180,7 -1180,7 +1180,7 @@@ mono_metadata_decode_row_col (const Mon
   * \param ptr pointer to a blob object
   * \param rptr the new position of the pointer
   *
-  * This decodes a compressed size as described by 23.1.4 (a blob or user string object)
+  * This decodes a compressed size as described by 24.2.4 (#US and #Blob a blob or user string object)
   *
   * \returns the size of the blob object
   */
@@@ -1522,7 -1522,7 +1522,7 @@@ builtin_types[] = 
  #define NBUILTIN_TYPES() (sizeof (builtin_types) / sizeof (builtin_types [0]))
  
  static GHashTable *type_cache = NULL;
 -static int next_generic_inst_id = 0;
 +static gint32 next_generic_inst_id = 0;
  
  /* Protected by image_sets_mutex */
  static MonoImageSet *mscorlib_image_set;
@@@ -3160,7 -3160,7 +3160,7 @@@ mono_metadata_get_canonical_generic_ins
                int size = MONO_SIZEOF_GENERIC_INST + type_argc * sizeof (MonoType *);
                ginst = (MonoGenericInst *)mono_image_set_alloc0 (set, size);
  #ifndef MONO_SMALL_CONFIG
 -              ginst->id = ++next_generic_inst_id;
 +              ginst->id = InterlockedIncrement (&next_generic_inst_id);
  #endif
                ginst->is_open = is_open;
                ginst->type_argc = type_argc;