encoding: verify that the target message is extendable

After resolving a FieldDescriptor from the resolver, verify that the
returned descriptor truly does extend the target message.

This will never happen with the global registry, since it checks this
but can happen with poorly written custom resolvers.

Change-Id: I2de5b9d2fb9d32e076ec4e82adda98d672891444
Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/193737
Reviewed-by: Herbie Ong <herbie@google.com>

encoding/protojson/decode.go

@@ -184,6 +184,9 @@ func (o UnmarshalOptions) unmarshalFields(m pref.Message, skipTypeURL bool) erro
 			}
 			if extType != nil {
 				fd = extType.TypeDescriptor()
+				if !messageDesc.ExtensionRanges().Has(fd.Number()) || fd.ContainingMessage().FullName() != messageDesc.FullName() {
+					return errors.New("message %v cannot be extended by %v", messageDesc.FullName(), fd.FullName())
+				}
 			}
 		} else {
 			// The name can either be the JSON name or the proto field name.

encoding/prototext/decode.go

@@ -128,6 +128,9 @@ func (o UnmarshalOptions) unmarshalMessage(tmsg [][2]text.Value, m pref.Message)
 			}
 			if xt != nil {
 				fd = xt.TypeDescriptor()
+				if !messageDesc.ExtensionRanges().Has(fd.Number()) || fd.ContainingMessage().FullName() != messageDesc.FullName() {
+					return errors.New("message %v cannot be extended by %v", messageDesc.FullName(), fd.FullName())
+				}
 			}
 		}