From 211b697b95fd4101e98ed0e1221ec678c62396a0 Mon Sep 17 00:00:00 2001 From: steadytao Date: Fri, 3 Apr 2026 12:24:28 +1000 Subject: [PATCH] Reject unterminated FlexBuffers keys during verification VerifyKey() returned success after encountering any non-zero byte, which allowed malformed FBT_KEY values without a terminating NUL byte to pass VerifyBuffer(). Require a NUL terminator before the end of the buffer and add a regression test for the 4-byte malformed input from issue #9008. Tested with flattests.exe; all tests passed. --- include/flatbuffers/flexbuffers.h | 2 +- tests/flexbuffers_test.cpp | 8 ++++++++ tests/flexbuffers_test.h | 1 + tests/test.cpp | 1 + 4 files changed, 11 insertions(+), 1 deletion(-) diff --git a/include/flatbuffers/flexbuffers.h b/include/flatbuffers/flexbuffers.h index 1ed6a41bca..d72626745e 100644 --- a/include/flatbuffers/flexbuffers.h +++ b/include/flatbuffers/flexbuffers.h @@ -1976,7 +1976,7 @@ class Verifier FLATBUFFERS_FINAL_CLASS { bool VerifyKey(const uint8_t* p) { FLEX_CHECK_VERIFIED(p, PackedType(BIT_WIDTH_8, FBT_KEY)); while (p < buf_ + size_) - if (*p++) return true; + if (*p++ == '\0') return true; return false; } diff --git a/tests/flexbuffers_test.cpp b/tests/flexbuffers_test.cpp index 6087a0affb..f14b06f563 100644 --- a/tests/flexbuffers_test.cpp +++ b/tests/flexbuffers_test.cpp @@ -187,6 +187,14 @@ void FlexBuffersReuseBugTest() { true); } +void FlexBuffersInvalidKeyVerifierTest() { + const uint8_t invalid_key_root[] = { 0x01, 0x01, 0x12, 0x01 }; + std::vector reuse_tracker; + TEST_EQ(flexbuffers::VerifyBuffer(invalid_key_root, sizeof(invalid_key_root), + &reuse_tracker), + false); +} + void FlexBuffersFloatingPointTest() { #if defined(FLATBUFFERS_HAS_NEW_STRTOD) && (FLATBUFFERS_HAS_NEW_STRTOD > 0) flexbuffers::Builder slb(512, diff --git a/tests/flexbuffers_test.h b/tests/flexbuffers_test.h index 132098fb37..15cb0747ce 100644 --- a/tests/flexbuffers_test.h +++ b/tests/flexbuffers_test.h @@ -6,6 +6,7 @@ namespace tests { void FlexBuffersTest(); void FlexBuffersReuseBugTest(); +void FlexBuffersInvalidKeyVerifierTest(); void FlexBuffersFloatingPointTest(); void FlexBuffersDeprecatedTest(); void ParseFlexbuffersFromJsonWithNullTest(); diff --git a/tests/test.cpp b/tests/test.cpp index 5a43546f53..0736c72422 100644 --- a/tests/test.cpp +++ b/tests/test.cpp @@ -1829,6 +1829,7 @@ int FlatBufferTests(const std::string& tests_data_path) { CreateSharedStringTest(); FlexBuffersTest(); FlexBuffersReuseBugTest(); + FlexBuffersInvalidKeyVerifierTest(); FlexBuffersDeprecatedTest(); UninitializedVectorTest(); EqualOperatorTest();