From 649f1a09f1269975e02b6768bb9719a276274c3f Mon Sep 17 00:00:00 2001 From: Sebastian Josue Alba Vives Date: Fri, 3 Apr 2026 12:02:07 -0600 Subject: [PATCH] Fix FlexBuffers VerifyKey() inverted null-terminator check VerifyKey() incorrectly returned true upon encountering a non-null byte instead of verifying that a null terminator exists within the buffer bounds. This caused the verifier to accept buffers with non-null-terminated keys, leading to out-of-bounds reads via strlen() in AsString(), AsKey(), and ToString(). Found via fuzzing with AddressSanitizer. --- include/flatbuffers/flexbuffers.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/flatbuffers/flexbuffers.h b/include/flatbuffers/flexbuffers.h index 1ed6a41bca2..5c42a7ed476 100644 --- a/include/flatbuffers/flexbuffers.h +++ b/include/flatbuffers/flexbuffers.h @@ -1976,7 +1976,7 @@ class Verifier FLATBUFFERS_FINAL_CLASS { bool VerifyKey(const uint8_t* p) { FLEX_CHECK_VERIFIED(p, PackedType(BIT_WIDTH_8, FBT_KEY)); while (p < buf_ + size_) - if (*p++) return true; + if (!*p++) return true; return false; }