Fix FlexBuffers VerifyKey() inverted null-terminator check

[Sebasteuo]

Fix FlexBuffers VerifyKey() inverted null-terminator check

VerifyKey() incorrectly returned true upon encountering a non-null byte instead of verifying that a null terminator exists within the buffer bounds.

Bug

The condition if (*p++) return true; returns true on the first non-null byte, meaning any key with at least one non-null byte passes verification regardless of whether a null terminator exists within the buffer.

Impact

After verification, calls to AsString(), AsKey(), or ToString() on a FBT_KEY reference invoke strlen() which reads past the buffer boundary (heap/stack OOB read).

Fix

Negate the condition to check for the null terminator:

-      if (*p++) return true;
+      if (!*p++) return true;

Reproduction

uint8_t poc[] = {0x00, 0x10, 0x01, 0x10, 0x01};
std::vector<uint8_t> rt;
bool valid = flexbuffers::VerifyBuffer(poc, sizeof(poc), &rt);
// valid == true (WRONG, should be false)
auto root = flexbuffers::GetRoot(poc, sizeof(poc));
auto s = root.AsString();  // OOB read via strlen()

Compile with: clang++ -fsanitize=address -I include poc.cc src/util.cpp

Found via fuzzing with AddressSanitizer.

[Sebasteuo]

Hi @dbaileychess, just a gentle ping on this PR.

This is a one-character fix for an inverted boolean condition in VerifyKey()
that causes VerifyBuffer() to silently accept malformed FlexBuffers with
unterminated FBT_KEY strings, leading to a heap-buffer-overflow READ via
strlen() in AsString().

ASan-confirmed crash stack:
#0 strlen
#1 flexbuffers::Reference::AsString() flexbuffers.h:577

Would appreciate a review when you have a moment. Happy to add a regression
test to tests/flexbuffers_test.cpp if that would help move this forward.

Thanks!

[Sebasteuo]

@dbaileychess added the regression test to tests/flexbuffers_test.cpp as suggested. FlexBuffersVerifyKeyOOBTest() constructs a malformed FBT_KEY buffer without null terminator and asserts VerifyBuffer() returns false. All tests pass. Ready for review.