Fix heap OOB write in ForAllFields when field ID exceeds field count#9054
Open
mohamedelabbas1996 wants to merge 1 commit intogoogle:masterfrom
Open
Fix heap OOB write in ForAllFields when field ID exceeds field count#9054mohamedelabbas1996 wants to merge 1 commit intogoogle:masterfrom
mohamedelabbas1996 wants to merge 1 commit intogoogle:masterfrom
Conversation
Add bounds check in ForAllFields to validate that field->id() does not exceed the number of fields before using it as an index into field_to_id_map. Without this check, a crafted .bfbs binary schema with a field ID larger than the field count causes an out-of-bounds write past the field_to_id_map vector (CWE-122). The FlatBuffer verifier validates structural integrity but does not check the semantic constraint that field.id < fields.size(), so a structurally valid .bfbs can trigger this bug. PoC: A 340-byte .bfbs with field->id()=100 and 3 fields causes ASAN to report heap-buffer-overflow WRITE at reflection.cpp:387.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add bounds check in
ForAllFieldsto validate thatfield->id()does not exceed the number of fields before using it as an index intofield_to_id_map.Without this check, a crafted
.bfbsbinary schema with a field ID larger than the field count causes an out-of-bounds write past thefield_to_id_mapvector atreflection.cpp:387. The crafted.bfbspassesreflection::VerifySchemaBuffer()— the verifier does not catch this because it only validates structural integrity, not the semantic constraint thatfield.id() < fields.size().Root Cause
field->id()is auint16_tread from the.bfbsbinary schema. With a crafted value of 100 and only 3 fields, the write goes 388 bytes past the 12-byte allocation into adjacent heap memory.Proof of Concept
Step 1: Generate a normal
.bfbs:Step 2: Patch one field's ID from
2to100(a 2-byte change in the binary):Step 3: Process with any tool that calls
ForAllFields:ASAN Output (macOS, confirmed)
Linux/glibc Verification (Ubuntu 22.04, confirmed)
On Linux without ASAN, the corruption is completely silent — no crash, no error:
The program continues running with corrupted heap memory. The callback receives wrong field data (
hpappears twice instead ofmana), proving the corruption affects program behavior.Verification Summary
Impact
Who is affected
ForAllFieldsis called from:binary_annotator.cpp—flatc --annotatebfbs_gen_lua.cpp— Lua code generation from.bfbsbfbs_gen_nim.cpp— Nim code generation from.bfbsAttack scenario
In CI/CD pipelines that process
.bfbsfiles from pull requests:.bfbsfile (340 bytes)flatc --annotateor code generation on the.bfbsSeverity justification
field->id(), uint16 range 0-65535)Fix
Added
if (field->id() < object->fields()->size())guard before the array write. Fields with out-of-range IDs are silently skipped, preventing the OOB write while maintaining correct behavior for valid schemas.