CVE-2021-24028

An attacker can craft a malicious Thrift payload containing invalid union data where the active member ID is non-zero but the union already holds a live object. When the table-based serializer deserializes this payload, the old `read()` path would placement-new over the existing object without first clearing it, causing an invalid free [ref_id=1]. This can lead to application crash or potentially arbitrary code execution. The attack is network-triggered by sending a specially crafted Thrift message to a service using the affected serialization path.

The vulnerability is in the table-based serialization logic for Thrift unions, specifically in `read()` and `write()` functions within the serializer. The patch modifies `activeUnionMemberId` (renamed to `getActiveId`) and the `read()` function to check whether the active union member ID is non-zero before re-initializing a member, preventing an invalid free when deserializing malformed union data [ref_id=1].

The patch adds a check `if (activeId != 0)` before re-initializing a union member in the `read()` function, and calls `structInfo.unionExt->clear(object)` to properly destroy the existing active member before placement-new of the new member [ref_id=1]. This prevents the invalid free that occurred when the serializer overwrote a live union member without first cleaning it up. The `write()` path is also updated to use the renamed `getActiveId` helper for consistency.