From fa751572d467f64cf8fc2e6a43a868e91a8e5c5f Mon Sep 17 00:00:00 2001
From: anish k <ak8686@princeton.edu>
Date: Fri, 24 Apr 2026 02:54:28 +0000
Subject: [PATCH] Fix heap buffer overflow in GenTextFile when parsing
 malformed flatbuffers binaries

## Summary

Signed-off-by: anish k <ak8686@princeton.edu>
---
 src/idl_gen_text.cpp | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/idl_gen_text.cpp b/src/idl_gen_text.cpp
index 6908305535..12624b2c76 100644
--- a/src/idl_gen_text.cpp
+++ b/src/idl_gen_text.cpp
@@ -447,6 +447,24 @@ const char* GenTextFile(const Parser& parser, const std::string& path,
                : "SaveFile failed";
   }
   if (!parser.builder_.GetSize() || !parser.root_struct_def_) return nullptr;
+  // Validate the root offset and vtable bounds before generating text to
+  // prevent crashes on malformed buffers (e.g. attacker-controlled offsets).
+  {
+    const uint8_t* buf = parser.builder_.GetBufferPointer();
+    const size_t buf_size = parser.builder_.GetSize();
+    if (buf_size < FLATBUFFERS_MIN_BUFFER_SIZE)
+      return "flatbuffer too small to be valid";
+    // For size-prefixed buffers, the root object starts after the size field.
+    const size_t root_start =
+        parser.opts.size_prefixed ? sizeof(uoffset_t) : 0;
+    Verifier verifier(buf, buf_size);
+    const auto root_off = verifier.VerifyOffset<uoffset_t>(root_start);
+    if (!root_off) return "root offset in flatbuffer is out of bounds";
+    const auto* root_table =
+        reinterpret_cast<const Table*>(buf + root_start + root_off);
+    if (!root_table->VerifyTableStart(verifier))
+      return "vtable of root table in flatbuffer is invalid";
+  }
   std::string text;
   auto err = GenText(parser, parser.builder_.GetBufferPointer(), &text);
   if (err) return err;