From 744427f9eed77bd94ce7cee1c8b5b7d98c71190d Mon Sep 17 00:00:00 2001
From: VoltVoks <39782935+VoltVoks@users.noreply.github.com>
Date: Thu, 21 May 2026 15:19:24 -0700
Subject: [PATCH] Guard BFBS identifier probes in Parser::Deserialize

---
 src/idl_parser.cpp | 22 ++++++++++++++++------
 tests/test.cpp     | 19 +++++++++++++++++++
 2 files changed, 35 insertions(+), 6 deletions(-)

diff --git a/src/idl_parser.cpp b/src/idl_parser.cpp
index b1bdffa014..3c93780a2f 100644
--- a/src/idl_parser.cpp
+++ b/src/idl_parser.cpp
@@ -4421,14 +4421,24 @@ bool Definition::DeserializeAttributes(
 /* DESERIALIZATION                                                      */
 /************************************************************************/
 bool Parser::Deserialize(const uint8_t* buf, const size_t size) {
+  if (!buf) return false;
+
   flatbuffers::Verifier verifier(reinterpret_cast<const uint8_t*>(buf), size);
+  const size_t file_identifier_offset = sizeof(flatbuffers::uoffset_t);
+  const size_t size_prefixed_file_identifier_offset =
+      2 * sizeof(flatbuffers::uoffset_t);
+  const bool has_schema_identifier =
+      size >= file_identifier_offset + flatbuffers::kFileIdentifierLength &&
+      reflection::SchemaBufferHasIdentifier(buf);
+  const bool has_size_prefixed_schema_identifier =
+      size >= size_prefixed_file_identifier_offset +
+                  flatbuffers::kFileIdentifierLength &&
+      flatbuffers::BufferHasIdentifier(buf, reflection::SchemaIdentifier(),
+                                       true);
   bool size_prefixed = false;
-  if (!reflection::SchemaBufferHasIdentifier(buf)) {
-    if (!flatbuffers::BufferHasIdentifier(buf, reflection::SchemaIdentifier(),
-                                          true))
-      return false;
-    else
-      size_prefixed = true;
+  if (!has_schema_identifier) {
+    if (!has_size_prefixed_schema_identifier) return false;
+    size_prefixed = true;
   }
   auto verify_fn = size_prefixed
                        ? &reflection::VerifySizePrefixedSchemaBuffer<false>
diff --git a/tests/test.cpp b/tests/test.cpp
index 5a43546f53..98b317bb87 100644
--- a/tests/test.cpp
+++ b/tests/test.cpp
@@ -1171,6 +1171,24 @@ void TestEmbeddedBinarySchema(const std::string& tests_data_path) {
 }
 #endif
 
+void TestDeserializeRejectsShortBinarySchemaBuffers() {
+  flatbuffers::Parser null_parser;
+  TEST_EQ(false, null_parser.Deserialize(nullptr, 0));
+  TEST_EQ(false,
+          null_parser.Deserialize(
+              nullptr, sizeof(flatbuffers::uoffset_t) +
+                           flatbuffers::kFileIdentifierLength));
+
+  const size_t size_prefixed_identifier_size =
+      2 * sizeof(flatbuffers::uoffset_t) + flatbuffers::kFileIdentifierLength;
+  for (size_t size = 1; size < size_prefixed_identifier_size; size++) {
+    std::string buf(size, 'x');
+    flatbuffers::Parser parser;
+    TEST_EQ(false, parser.Deserialize(
+                       reinterpret_cast<const uint8_t*>(buf.data()), size));
+  }
+}
+
 template <typename T>
 void EmbeddedSchemaAccessByType() {
   // Get the binary schema from the Type itself.
@@ -1765,6 +1783,7 @@ int FlatBufferTests(const std::string& tests_data_path) {
   MiniReflectFixedLengthArrayTest();
 
   SizePrefixedTest();
+  TestDeserializeRejectsShortBinarySchemaBuffers();
 
   AlignmentTest();