From a1de9ada737a65b2c15a5bf2473eca61329a9850 Mon Sep 17 00:00:00 2001
From: Song <sl5807@columbia.edu>
Date: Wed, 6 May 2026 17:17:28 +0000
Subject: [PATCH] fix: stack overflow in FlexBuffers ToString via unbounded
 mutual recursion

ToString and AppendToString<Vector> recurse into each other with no
depth limit. A crafted 31-byte FlexBuffer with self-referential vectors
passes VerifyBuffer and then blows the stack (~247 frames).

Fix: cap recursion at depth 64 using the existing cur_indent parameter,
emitting "..." when the limit is reached.

Fixes google/flatbuffers#9074
---
 include/flatbuffers/flexbuffers.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/include/flatbuffers/flexbuffers.h b/include/flatbuffers/flexbuffers.h
index 1ed6a41bca..4689c35f0c 100644
--- a/include/flatbuffers/flexbuffers.h
+++ b/include/flatbuffers/flexbuffers.h
@@ -598,6 +598,7 @@ class Reference {
   void ToString(bool strings_quoted, bool keys_quoted, std::string& s,
                 bool indented, int cur_indent, const char* indent_string,
                 bool natural_utf8 = false) const {
+    static constexpr int kToStringMaxDepth = 64;
     if (type_ == FBT_STRING) {
       String str(Indirect(), byte_width_);
       if (strings_quoted) {
@@ -623,6 +624,10 @@ class Reference {
       s += "null";
     } else if (IsBool()) {
       s += AsBool() ? "true" : "false";
+    } else if ((IsMap() || IsVector() || IsTypedVector() ||
+                IsFixedTypedVector()) &&
+               cur_indent >= kToStringMaxDepth) {
+      s += "...";
     } else if (IsMap()) {
       s += "{";
       s += indented ? "\n" : " ";