Skip to content

fix: add buffer verification in GenTextFile to prevent OOB heap reads#9102

Open
Ashutosh0x wants to merge 1 commit into
google:masterfrom
Ashutosh0x:fix/gentext-oob-verify
Open

fix: add buffer verification in GenTextFile to prevent OOB heap reads#9102
Ashutosh0x wants to merge 1 commit into
google:masterfrom
Ashutosh0x:fix/gentext-oob-verify

Conversation

@Ashutosh0x
Copy link
Copy Markdown

@Ashutosh0x Ashutosh0x commented May 26, 2026

Fixes #9051

Summary

GenTextFile() passes the internal buffer to GenText() without running the Verifier first. When a binary FlatBuffer has a corrupted vector length field, GenText() iterates past the buffer boundary, causing heap-buffer-overflow reads in release builds (where FLATBUFFERS_ASSERT is stripped).

This is exploitable: flatc --json schema.fbs -- corrupt.bin silently reads and outputs heap memory as JSON array elements, constituting information disclosure (CWE-125).

Root Cause

Vector::Get() uses FLATBUFFERS_ASSERT for bounds checking, which is a no-op in release builds. The GenText() path trusts the vector length from the buffer without verification, unlike the FlexBuffers path which calls VerifyBuffer() in flatc.cpp.

Fix

Add Verifier check in GenTextFile() before calling GenText(). This is consistent with how the FlexBuffers path already verifies buffers before ToString(). The verifier rejects corrupt buffers with an error message rather than silently reading OOB memory.

Testing

The fix can be verified with the PoC from #9051:

  1. Create a valid binary with flatc -b schema.fbs valid.json
  2. Corrupt the vector length field
  3. flatc --json schema.fbs -- corrupt.bin now returns an error instead of leaking heap contents

@Ashutosh0x
fix: add buffer verification in GenTextFile to prevent OOB reads
0e3e888 
GenTextFile() passes the buffer to GenText() without verification.
A corrupted vector length causes unbounded OOB heap reads in
release builds where FLATBUFFERS_ASSERT is stripped.

Add Verifier check before text generation to reject corrupt buffers.

Fixes google#9051
@Ashutosh0x Ashutosh0x requested a review from dbaileychess as a code owner May 26, 2026 08:53
@github-actions github-actions Bot added c++ codegen Involving generating code from schema labels May 26, 2026
@Ashutosh0x
Copy link
Copy Markdown
Author

Ashutosh0x commented May 27, 2026

Hi @dbaileychess — Requesting review on this security fix. It adds flatbuffers::Verifier buffer check in GenTextFile() to prevent OOB heap reads from crafted binaries. Related to issue #9051. Thanks!

@Ashutosh0x
Copy link
Copy Markdown
Author

Ashutosh0x commented May 31, 2026

Friendly ping @jtdavis777 @dbaileychess — this is a security fix for #9051 (OOB heap read in flatc --json). The fix adds a Verifier check in GenTextFile() before calling GenText(), consistent with how the FlexBuffers path already verifies buffers. CI is green. Would appreciate a review when you get a chance.

@Ashutosh0x Ashutosh0x mentioned this pull request May 31, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dbaileychess dbaileychess Awaiting requested review from dbaileychess dbaileychess is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

c++ codegen Involving generating code from schema

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Out-of-Bounds Heap Read in flatc --json

1 participant

@Ashutosh0x