Skip to content

Avoid double-free on duplicate enum names during BFBS deserialization#9012

Open
steadytao wants to merge 2 commits intogoogle:masterfrom
steadytao:fix-9009-avoid-double-free-on-duplicate-enums
Open

Avoid double-free on duplicate enum names during BFBS deserialization#9012
steadytao wants to merge 2 commits intogoogle:masterfrom
steadytao:fix-9009-avoid-double-free-on-duplicate-enums

Conversation

@steadytao
Copy link
Copy Markdown

@steadytao steadytao commented Apr 3, 2026

Summary

Reject duplicate enum names during BFBS deserialisation before transferring ownership into the symbol table.

Problem

SymbolTable::Add() appended objects to its ownership vector before checking for duplicate names. During binary schema deserialisation, duplicate enum names could therefore leave a freed pointer behind in the symbol table and later trigger a double-free during teardown.

Fix

  • check for duplicate names before appending the object to the symbol table's ownership vector
  • add a regression test using a malformed BFBS fixture with duplicate enum names
  • verify that VerifySchemaBuffer() accepts the schema but Parser::Deserialize() rejects it safely

Testing

  • built & ran flattests.exe
  • result: ALL TESTS PASSED

Fixes #9009

@steadytao
Avoid double-free on duplicate enum names during BFBS deserialization
29f6b07 
SymbolTable::Add() appended objects to its ownership vector before checking for duplicate names. During binary schema deserialization this allowed duplicate enum names to leave a freed pointer behind, which was later deleted again during teardown.

Check for duplicates before storing the pointer and add a regression test that verifies a malformed BFBS fixture is accepted by VerifySchemaBuffer() but rejected safely by Parser::Deserialize().

Tested with flattests.exe; all tests passed.
@steadytao steadytao requested a review from dbaileychess as a code owner April 3, 2026 02:35
@github-actions github-actions bot added the c++ label Apr 3, 2026
jtdavis777
jtdavis777 previously approved these changes Apr 3, 2026
View reviewed changes
@steadytao
Free duplicate enums rejected during parsing
767128b 
Delete the temporary EnumDef in Parser::StartEnum() when duplicate-name registration fails so duplicate enum/union declarations do not leak during parsing.
@github-actions github-actions bot added the codegen Involving generating code from schema label Apr 3, 2026
@steadytao
Copy link
Copy Markdown
Author

steadytao commented Apr 3, 2026

CIFuzz found a real follow-up leak in Parser::StartEnum(): duplicate enum/union declarations allocate a temporary EnumDef and then return on duplicate-name rejection without freeing it. I’ve pushed a small follow-up onto this PR to delete that temporary object on the error path.

@steadytao steadytao requested a review from jtdavis777 April 3, 2026 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dbaileychess dbaileychess Awaiting requested review from dbaileychess dbaileychess is a code owner

@jtdavis777 jtdavis777 Awaiting requested review from jtdavis777

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

c++ codegen Involving generating code from schema

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use-after-free / double-free in Parser::Deserialize via SymbolTable duplicate handling

2 participants

@steadytao @jtdavis777