From 0e3e88869107e1868df9682cad38f4e65f2637c3 Mon Sep 17 00:00:00 2001
From: Ashutosh Kumar Singh <161562995+Ashutosh0x@users.noreply.github.com>
Date: Tue, 26 May 2026 14:23:13 +0530
Subject: [PATCH] fix: add buffer verification in GenTextFile to prevent OOB
 reads

GenTextFile() passes the buffer to GenText() without verification.
A corrupted vector length causes unbounded OOB heap reads in
release builds where FLATBUFFERS_ASSERT is stripped.

Add Verifier check before text generation to reject corrupt buffers.

Fixes #9051
---
 src/idl_gen_text.cpp | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/idl_gen_text.cpp b/src/idl_gen_text.cpp
index 6908305535..961a67bc4e 100644
--- a/src/idl_gen_text.cpp
+++ b/src/idl_gen_text.cpp
@@ -447,6 +447,25 @@ const char* GenTextFile(const Parser& parser, const std::string& path,
                : "SaveFile failed";
   }
   if (!parser.builder_.GetSize() || !parser.root_struct_def_) return nullptr;
+  // Verify buffer integrity before text generation to prevent OOB reads
+  // from corrupted vector lengths or field offsets (see #9051).
+  {
+    flatbuffers::Verifier verifier(parser.builder_.GetBufferPointer(),
+                                   parser.builder_.GetSize());
+    if (!parser.root_struct_def_->fixed
+            ? !verifier.VerifyBuffer<flatbuffers::Table>(
+                  parser.file_identifier_.length()
+                      ? parser.file_identifier_.c_str()
+                      : nullptr)
+            : !verifier.VerifyBufferFromStart<flatbuffers::Table>(
+                  parser.file_identifier_.length()
+                      ? parser.file_identifier_.c_str()
+                      : nullptr,
+                  parser.builder_.GetSize())) {
+      return "buffer failed verification, refusing to generate JSON from "
+             "potentially corrupt data";
+    }
+  }
   std::string text;
   auto err = GenText(parser, parser.builder_.GetBufferPointer(), &text);
   if (err) return err;