From 477fedccd4d500c63050ee134eddb27901add7bd Mon Sep 17 00:00:00 2001 From: Tiago Cogumbreiro Date: Fri, 18 Sep 2015 20:38:47 -0500 Subject: [PATCH] Fix an out-of bounds read when the element is bigger than the buffer. Ensure the size of the buffer being checked is bigger than the element of the buffer being checked. The buffer can be triggered when, for example, the buffer is of length zero and we are checking for: Verify(buf_) The condition above should fail. --- include/flatbuffers/flatbuffers.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/flatbuffers/flatbuffers.h b/include/flatbuffers/flatbuffers.h index 3bf1f0ae2..4c40da033 100644 --- a/include/flatbuffers/flatbuffers.h +++ b/include/flatbuffers/flatbuffers.h @@ -898,7 +898,7 @@ class Verifier FLATBUFFERS_FINAL_CLASS { // Verify any range within the buffer. bool Verify(const void *elem, size_t elem_len) const { - return Check(elem >= buf_ && elem <= end_ - elem_len); + return Check(elem_len <= (size_t) (end_ - buf_) && elem >= buf_ && elem <= end_ - elem_len); } // Verify a range indicated by sizeof(T).