From 2136f6800ae9e484ee6ac18d9bd90fef37ea42a8 Mon Sep 17 00:00:00 2001
From: past3l <azizcan.dastan5@gmail.com>
Date: Wed, 22 Apr 2026 10:50:56 +0200
Subject: [PATCH 1/2] Fix heap OOB read in FlexBuffers Verifier::VerifyKey()

VerifyKey() was returning true for any non-null byte, which meant
keys without null terminators passed verification. Subsequent map
lookups using strcmp() on these keys would read past the buffer.

The fix checks for the null terminator explicitly (== 0) so that
only properly terminated keys pass verification.
---
 include/flatbuffers/flexbuffers.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/flatbuffers/flexbuffers.h b/include/flatbuffers/flexbuffers.h
index 1ed6a41bca..d4711806bb 100644
--- a/include/flatbuffers/flexbuffers.h
+++ b/include/flatbuffers/flexbuffers.h
@@ -1976,7 +1976,7 @@ class Verifier FLATBUFFERS_FINAL_CLASS {
   bool VerifyKey(const uint8_t* p) {
     FLEX_CHECK_VERIFIED(p, PackedType(BIT_WIDTH_8, FBT_KEY));
     while (p < buf_ + size_)
-      if (*p++) return true;
+      if (*p++ == 0) return true;
     return false;
   }
 

From 69edb19c94d4790988e4da58e1b048c905d6ce06 Mon Sep 17 00:00:00 2001
From: past3l <azizcan.dastan5@gmail.com>
Date: Wed, 22 Apr 2026 11:01:02 +0200
Subject: [PATCH 2/2] Trigger CLA re-check