[Reflection] Range-check shapeIndex in createBoundGenericTypeReconstructingParent.

If the parentNode chain ends up being longer than genericParamsPerLevel, we can underflow shapeIndex, resulting in an out-of-bounds read. Range check it against the vector before trying to read it, and return NULL if it's out of bounds.

rdar://103220412

Author: mikeash

include/swift/Reflection/TypeRefBuilder.h

@@ -569,6 +569,9 @@ class TypeRefBuilder {
     if (!mangling.isSuccess())
       return nullptr;
 
+    if (shapeIndex >= genericParamsPerLevel.size())
+      return nullptr;
+
     auto numGenericArgs = genericParamsPerLevel[shapeIndex];
 
     auto startOffsetFromEnd = argsIndex + numGenericArgs;