Fix: Check flatbuffer integrity before parsing

Updated flatbuffer to latest version to get verify buffer
Use strol for key parsing to ensure exceptions do not result in a crash.

Author: AustinBenoit

cmake/external/flatbuffers.cmake

@@ -18,9 +18,8 @@ if(TARGET flatbuffers OR NOT DOWNLOAD_FLATBUFFERS)
   return()
 endif()
 
-set(version 99aa1ef21dd9dc3f9d4fb0eb82f4b59d0bb5e4c5)
-set(patch_file
-  ${CMAKE_CURRENT_LIST_DIR}/../../scripts/git/patches/flatbuffers/0001-remove-unused-var.patch)
+# Commit corresponds to Tag v25.12.19-2026-02-06-03fffb2
+set(version 95fda8c23e6e30ebd975892b5fad01efa53e039c)
 
 ExternalProject_Add(
   flatbuffers
@@ -29,7 +28,6 @@ ExternalProject_Add(
     COMMAND git init flatbuffers
     COMMAND cd flatbuffers && git fetch --depth=1 https://github.com/google/flatbuffers.git ${version} && git reset --hard FETCH_HEAD
 
-  PATCH_COMMAND git apply ${patch_file} && git gc --aggressive
   PREFIX ${PROJECT_BINARY_DIR}
 
   CONFIGURE_COMMAND ""

remote_config/src/desktop/config_data.cc

@@ -49,6 +49,9 @@ std::string NamespacedConfigData::Serialize() const {
 void NamespacedConfigData::Deserialize(const std::string& buffer) {
   const uint8_t* data = reinterpret_cast<const uint8_t*>(buffer.data());
   size_t size = buffer.size();
+  if (!flexbuffers::VerifyBuffer(data, size)) {
+    return;
+  }
   auto struct_map = flexbuffers::GetRoot(data, size).AsMap();
   flexbuffers::Map ns_config_map = struct_map["config_"].AsMap();
   for (int i = 0, in = ns_config_map.size(); i < in; ++i) {
@@ -142,6 +145,9 @@ std::string LayeredConfigs::Serialize() const {
 void LayeredConfigs::Deserialize(const std::string& buffer) {
   const uint8_t* data = reinterpret_cast<const uint8_t*>(buffer.data());
   size_t size = buffer.size();
+  if (!flexbuffers::VerifyBuffer(data, size)) {
+    return;
+  }
   auto struct_map = flexbuffers::GetRoot(data, size).AsMap();
   fetched.Deserialize(struct_map["fetched"].AsString().str());
   active.Deserialize(struct_map["active"].AsString().str());

remote_config/src/desktop/file_manager.cc

@@ -37,10 +37,14 @@ namespace internal {
 RemoteConfigFileManager::RemoteConfigFileManager(const std::string& filename,
                                                  const firebase::App& app) {
   std::string app_data_prefix =
-      std::string(app.options().package_name()) + "/" + app.name();
-  std::string file_path =
-      AppDataDir(app_data_prefix.c_str(), /*should_create=*/true) + "/" +
-      filename;
+      std::string(app.options().package_name()) + "/remote_config";
+  std::string error;
+  std::string app_dir =
+      AppDataDir(app_data_prefix.c_str(), /*should_create=*/true, &error);
+  std::string file_path;
+  if (error.empty() && !app_dir.empty()) {
+    file_path = app_dir + "/" + app.name() + "_" + filename;
+  }
 #if FIREBASE_PLATFORM_WINDOWS
   std::wstring_convert<std::codecvt_utf8_utf16<wchar_t>> utf8_to_wstring;
   file_path_ = utf8_to_wstring.from_bytes(file_path);
@@ -50,16 +54,28 @@ RemoteConfigFileManager::RemoteConfigFileManager(const std::string& filename,
 }
 
 bool RemoteConfigFileManager::Load(LayeredConfigs* configs) const {
+  if (file_path_.empty()) {
+    return false;
+  }
   std::fstream input(file_path_, std::ios::in | std::ios::binary);
+  if (!input) {
+    return false;
+  }
   std::stringstream ss;
   ss << input.rdbuf();
   configs->Deserialize(ss.str());
   return true;
 }
 
 bool RemoteConfigFileManager::Save(const LayeredConfigs& configs) const {
+  if (file_path_.empty()) {
+    return false;
+  }
   std::string buffer = configs.Serialize();
   std::fstream output(file_path_, std::ios::out | std::ios::binary);
+  if (!output) {
+    return false;
+  }
   output.write(buffer.c_str(), buffer.size());
   return true;
 }

remote_config/src/desktop/metadata.cc

@@ -14,6 +14,7 @@
 
 #include "remote_config/src/desktop/metadata.h"
 
+#include <limits>
 #include <map>
 #include <string>
 
@@ -58,6 +59,9 @@ std::string RemoteConfigMetadata::Serialize() const {
 void RemoteConfigMetadata::Deserialize(const std::string& buffer) {
   const uint8_t* data = reinterpret_cast<const uint8_t*>(buffer.data());
   size_t size = buffer.size();
+  if (!flexbuffers::VerifyBuffer(data, size)) {
+    return;
+  }
   auto struct_map = flexbuffers::GetRoot(data, size).AsMap();
 
   flexbuffers::Map info = struct_map["info"].AsMap();
@@ -75,7 +79,18 @@ void RemoteConfigMetadata::Deserialize(const std::string& buffer) {
   settings_.clear();
   flexbuffers::Map settings = struct_map["settings"].AsMap();
   for (int i = 0, n = settings.size(); i < n; ++i) {
-    int int_key = std::stoi(settings.Keys()[i].AsKey());
+    const char* key_str = settings.Keys()[i].AsKey();
+    if (!key_str) continue;
+    char* endptr = nullptr;
+    long raw_key = std::strtol(key_str, &endptr, 10);
+    if (endptr == key_str || *endptr != '\0') {
+      continue;
+    }
+    if (raw_key < std::numeric_limits<int>::min() ||
+        raw_key > std::numeric_limits<int>::max()) {
+      continue;
+    }
+    int int_key = static_cast<int>(raw_key);
     settings_[static_cast<ConfigSetting>(int_key)] =
         settings.Values()[i].AsString().c_str();
   }