From 20715042e2a99ebe5dbcf456d476db5f9e33a743 Mon Sep 17 00:00:00 2001 From: Ashutosh Kumar Singh <161562995+Ashutosh0x@users.noreply.github.com> Date: Tue, 26 May 2026 13:30:44 +0530 Subject: [PATCH] fix: add bounds checking before GetFieldT in reflection VerifyObject Add VerifyField checks before GetFieldT calls in VerifyObject for Obj and Union field types. Without these checks, a malformed table with out-of-bounds field offsets causes GetFieldT to compute a pointer outside the buffer, leading to heap-buffer- overflow in ReadScalar during reflection verification. Fixes #9040 --- src/reflection.cpp | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/reflection.cpp b/src/reflection.cpp index 268d7d8515..40e105c8d6 100644 --- a/src/reflection.cpp +++ b/src/reflection.cpp @@ -240,6 +240,14 @@ static bool VerifyObject(flatbuffers::Verifier& v, return false; } } else { + // Verify the field offset points within the buffer before + // dereferencing it via GetFieldT. Without this check, a malformed + // table with an out-of-bounds field offset causes GetFieldT to + // compute a pointer outside the buffer, leading to a heap-buffer- + // overflow in ReadScalar. See github.com/google/flatbuffers/issues/9040 + if (!table->VerifyField(v, field_def->offset(), + sizeof(uoffset_t))) + return false; if (!VerifyObject(v, schema, *child_obj, flatbuffers::GetFieldT(*table, *field_def), field_def->required())) { @@ -252,6 +260,11 @@ static bool VerifyObject(flatbuffers::Verifier& v, // get union type from the prev field voffset_t utype_offset = field_def->offset() - sizeof(voffset_t); auto utype = table->GetField(utype_offset, 0); + // Verify the field offset before dereferencing via GetFieldT. + // See github.com/google/flatbuffers/issues/9040 + if (!table->VerifyField(v, field_def->offset(), + sizeof(uoffset_t))) + return false; auto uval = reinterpret_cast( flatbuffers::GetFieldT(*table, *field_def)); if (!VerifyUnion(v, schema, utype, uval, *field_def)) {