From ebc04598a712d69fb11d4b424723e34902149c85 Mon Sep 17 00:00:00 2001 From: mohamedelabbas1996 Date: Sun, 19 Apr 2026 15:46:39 -0400 Subject: [PATCH] Fix heap OOB write in ForAllFields when field ID exceeds field count Add bounds check in ForAllFields to validate that field->id() does not exceed the number of fields before using it as an index into field_to_id_map. Without this check, a crafted .bfbs binary schema with a field ID larger than the field count causes an out-of-bounds write past the field_to_id_map vector (CWE-122). The FlatBuffer verifier validates structural integrity but does not check the semantic constraint that field.id < fields.size(), so a structurally valid .bfbs can trigger this bug. PoC: A 340-byte .bfbs with field->id()=100 and 3 fields causes ASAN to report heap-buffer-overflow WRITE at reflection.cpp:387. --- src/reflection.cpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/reflection.cpp b/src/reflection.cpp index 268d7d8515..d0410d7824 100644 --- a/src/reflection.cpp +++ b/src/reflection.cpp @@ -384,7 +384,11 @@ void ForAllFields(const reflection::Object* object, bool reverse, // Create the mapping of field ID to the index into the vector. for (uint32_t i = 0; i < object->fields()->size(); ++i) { auto field = object->fields()->Get(i); - field_to_id_map[field->id()] = i; + // Validate field ID to prevent out-of-bounds write when processing + // untrusted binary schemas (.bfbs files). + if (field->id() < object->fields()->size()) { + field_to_id_map[field->id()] = i; + } } for (size_t i = 0; i < field_to_id_map.size(); ++i) {