From 76812fd6179bb7210ea9f5134221dc4595c4de8a Mon Sep 17 00:00:00 2001
From: kakarotsec <45924460+kakarotsec@users.noreply.github.com>
Date: Sun, 3 May 2026 18:51:53 +0600
Subject: [PATCH] Fix logic inversion in FlexBuffers VerifyKey()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

VerifyKey() returns true on the first non-zero byte instead of
checking for a null terminator. This causes VerifyBuffer() to accept
FlexBuffers with non-null-terminated keys. Subsequent access to those
keys via strlen()/strcmp() reads out of bounds.

The condition if (*p++) should be if (!*p++) — return true
when a null terminator is found, not when any non-zero byte is found.

Confirmed with AddressSanitizer: heap-buffer-overflow in strlen()
after VerifyBuffer() returns true on a corrupted buffer.
---
 include/flatbuffers/flexbuffers.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/flatbuffers/flexbuffers.h b/include/flatbuffers/flexbuffers.h
index 1ed6a41bca..5c42a7ed47 100644
--- a/include/flatbuffers/flexbuffers.h
+++ b/include/flatbuffers/flexbuffers.h
@@ -1976,7 +1976,7 @@ class Verifier FLATBUFFERS_FINAL_CLASS {
   bool VerifyKey(const uint8_t* p) {
     FLEX_CHECK_VERIFIED(p, PackedType(BIT_WIDTH_8, FBT_KEY));
     while (p < buf_ + size_)
-      if (*p++) return true;
+      if (!*p++) return true;
     return false;
   }