Fix FlexBuffers Verifier tracking vectors reuse at wrong offset

See test for an example. Found in: https://github.com/aardappel/lobster/pull/193
2026-06-02 04:04:19 +00:00 · 2022-08-05 10:45:01 -07:00
parent 50dd385b30
commit ec0129369c
2 changed files with 21 additions and 2 deletions
--- a/tests/test.cpp
+++ b/tests/test.cpp
@@ -3304,6 +3304,24 @@ void FlexBuffersTest() {
  TEST_EQ(slb.GetSize(), 664);
 }

+void FlexBuffersReuseBugTest() {
+  flexbuffers::Builder slb;
+  slb.Map([&]() {
+    slb.Vector("vec", [&]() {});
+    slb.Bool("bool", true);
+  });
+  slb.Finish();
+  std::vector<uint8_t> reuse_tracker;
+  // This would fail before, since the reuse_tracker would use the address of
+  // the vector reference to check for reuse, but in this case we have an empty
+  // vector, and since the size field is before the pointer, its address is the
+  // same as thing after it, the key "bool".
+  // We fix this by using the address of the size field for tracking reuse.
+  TEST_EQ(flexbuffers::VerifyBuffer(slb.GetBuffer().data(),
+                                    slb.GetBuffer().size(), &reuse_tracker),
+          true);
+}
+
 void FlexBuffersFloatingPointTest() {
 #if defined(FLATBUFFERS_HAS_NEW_STRTOD) && (FLATBUFFERS_HAS_NEW_STRTOD > 0)
  flexbuffers::Builder slb(512,
@@ -4568,6 +4586,7 @@ int FlatBufferTests() {
  JsonDefaultTest();
  JsonEnumsTest();
  FlexBuffersTest();
+  FlexBuffersReuseBugTest();
  FlexBuffersDeprecatedTest();
  UninitializedVectorTest();
  EqualOperatorTest();