Skip to content

Fix OOB panic in FlexBuffers Rust get_bool/read_usize and UAF in C++ SymbolTable::Add#9105

Open
XananasX7 wants to merge 2 commits into
google:masterfrom
XananasX7:fix/flexbuffers-rust-oob-and-symboltable-uaf
Open

Fix OOB panic in FlexBuffers Rust get_bool/read_usize and UAF in C++ SymbolTable::Add#9105
XananasX7 wants to merge 2 commits into
google:masterfrom
XananasX7:fix/flexbuffers-rust-oob-and-symboltable-uaf

Conversation

@XananasX7
Copy link
Copy Markdown

@XananasX7 XananasX7 commented May 26, 2026

Summary

Two unpatched memory-safety bugs in google/flatbuffers — one in the Rust FlexBuffers reader and one in the C++ IDL parser. Both are reachable from untrusted input via the public API.

Fix 1: FlexBuffers Rust — OOB panic in get_bool() and read_usize() (fixes #8923)

File: rust/flexbuffers/src/reader/mod.rs

get_bool() at line 326 uses a direct unchecked slice index:

Ok(self.buffer[self.address..self.address + self.width.n_bytes()].iter().any(|&b| b != 0))

When self.address + self.width.n_bytes() exceeds self.buffer.len(), this panics with an index-out-of-bounds. The 4-byte payload [0x5d, 0x79, 0x6b, 0x02] reliably triggers this panic.

Similarly, read_usize() uses &buffer[address..] (panics if address >= buffer.len()) and cursor[0] (panics on empty slice) for W8 widths.

All other numeric accessors (get_u64, etc.) already use .get() with proper error propagation — get_bool and read_usize are the only stragglers.

Fix: Replace direct indexing with .get() + .ok_or(Error::FlexbufferOutOfBounds)? / .unwrap_or_default(), matching the existing pattern in the same file.

Fix 2: C++ IDL — Use-after-free / double-free in SymbolTable::Add() via duplicate enum/table handling (fixes #9009)

File: include/flatbuffers/idl.h

SymbolTable::Add() calls vec.emplace_back(e) before checking for duplicate names:

bool Add(const std::string& name, T* e) {
    vec.emplace_back(e);          // always added first
    auto it = dict.find(name);
    if (it != dict.end()) return true;  // duplicate: caller deletes e, but e is in vec!
    dict[name] = e;
    return false;
}

When a duplicate is found, the caller (idl_parser.cpp) deletes e, but the pointer remains in vec. The destructor ~SymbolTable() later iterates vec and deletes every entry, hitting the already-freed pointer — use-after-free / double-free.

Triggerable via Parser::Deserialize() with a crafted 176-byte .bfbs schema containing a duplicate enum name. A proof-of-concept base64 payload is provided in issue #9009.

Fix: Reorder the duplicate check before vec.emplace_back(e). The pointer is only added to vec if it is not a duplicate, ensuring ~SymbolTable() never frees a pointer that the caller already deleted.

Both fixes are minimal single-location changes that match the existing style and defensive patterns in the codebase.

@XananasX7 XananasX7 requested a review from dbaileychess as a code owner May 26, 2026 20:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dbaileychess dbaileychess Awaiting requested review from dbaileychess dbaileychess is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

c++ rust

Projects

None yet

Milestone

No milestone

1 participant

@XananasX7