From d452b64190609469d4199dd9aa80a13a3753d064 Mon Sep 17 00:00:00 2001 From: Song Date: Wed, 6 May 2026 17:06:23 +0000 Subject: [PATCH] fix: heap-buffer-overflow in FlexBuffers ToString due to inverted VerifyKey predicate VerifyKey accepted keys on the first non-zero byte instead of requiring a NUL terminator. Malformed keys passed verification, then ToString called strlen on unterminated data, reading past the buffer. Fix: flip the predicate from `if (*p++)` to `if (!*p++)` so VerifyKey requires an in-bounds NUL terminator before accepting. Fixes google/flatbuffers#9041 --- include/flatbuffers/flexbuffers.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/flatbuffers/flexbuffers.h b/include/flatbuffers/flexbuffers.h index 1ed6a41bca..5c42a7ed47 100644 --- a/include/flatbuffers/flexbuffers.h +++ b/include/flatbuffers/flexbuffers.h @@ -1976,7 +1976,7 @@ class Verifier FLATBUFFERS_FINAL_CLASS { bool VerifyKey(const uint8_t* p) { FLEX_CHECK_VERIFIED(p, PackedType(BIT_WIDTH_8, FBT_KEY)); while (p < buf_ + size_) - if (*p++) return true; + if (!*p++) return true; return false; }