Google Git
Sign in
fuchsia/third_party/github.com/google/flatbuffers/a6979fe14adfca20c370dfae5baa1d1aea4e8b26^!/.
commit
a6979fe14adfca20c370dfae5baa1d1aea4e8b26
[log]
author
Rifat Al Jubayer <45924460+kakarotsec@users.noreply.github.com>
Tue May 05 08:11:30 2026 +0600
committer
GitHub <noreply@github.com>
Mon May 04 22:11:30 2026 -0400
tree
57c9ae6237c32f4e0077a2dd728f4a2a0ac662ba
parent
bab10754d93d74d1ff44d46de63558bc4127f7d8 [diff]
Fix logic inversion in FlexBuffers VerifyKey() (#9072)

VerifyKey() returns true on the first non-zero byte instead of
checking for a null terminator. This causes VerifyBuffer() to accept
FlexBuffers with non-null-terminated keys. Subsequent access to those
keys via strlen()/strcmp() reads out of bounds.

The condition if (*p++) should be if (!*p++) — return true
when a null terminator is found, not when any non-zero byte is found.

Confirmed with AddressSanitizer: heap-buffer-overflow in strlen()
after VerifyBuffer() returns true on a corrupted buffer.
diff --git a/include/flatbuffers/flexbuffers.h b/include/flatbuffers/flexbuffers.h
index 1ed6a41..5c42a7e 100644
--- a/include/flatbuffers/flexbuffers.h
+++ b/include/flatbuffers/flexbuffers.h

@@ -1976,7 +1976,7 @@
   bool VerifyKey(const uint8_t* p) {
     FLEX_CHECK_VERIFIED(p, PackedType(BIT_WIDTH_8, FBT_KEY));
     while (p < buf_ + size_)
-      if (*p++) return true;
+      if (!*p++) return true;
     return false;
   }