[BUG] A SEGV in `yaml_free` at `src/api.c:53:14`

[JJLeo]

Description

• Version: Latest commit 840b65c
• Environment: Ubuntu 20.04.6 LTS, Clang 12.0.1
• Fuzzing harness: https://github.com/google/oss-fuzz/blob/master/projects/libyaml/libyaml_dumper_fuzzer.c

Please let me know if you encounter any issues reproducing it — I can upload a Docker image to help.

Steps to reproduce

export CC="clang"
export CXX="clang++"
export CFLAGS="-fsanitize=address -g -O0 -fno-omit-frame-pointer"
export CXXFLAGS="-fsanitize=address -g -O0 -fno-omit-frame-pointer"
export LIB_FUZZING_ENGINE="-fsanitize=fuzzer"
wget https://github.com/google/oss-fuzz/raw/refs/heads/master/projects/libyaml/libyaml_dumper_fuzzer.c
wget https://github.com/google/oss-fuzz/raw/refs/heads/master/projects/libyaml/yaml_write_handler.h
export SRC=$PWD
export OUT=$PWD

./bootstrap
./configure
make "-j$(nproc)"

for fuzzer in $SRC/*_fuzzer.c; do
  fuzzer_basename=$(basename -s .c $fuzzer)

  $CC $CFLAGS \
      -I $SRC -Iinclude \
      -c $fuzzer -o $fuzzer_basename.o

  $CXX $CXXFLAGS \
      -std=c++11 \
      $fuzzer_basename.o \
      -o $OUT/$fuzzer_basename \
      $LIB_FUZZING_ENGINE \
      src/.libs/libyaml.a
done

./libyaml_dumper_fuzzer $POC

Sanitizer output

==15==ERROR: AddressSanitizer: SEGV on unknown address 0x00000046a9fe (pc 0x000000455b24 bp 0x000000000000 sp 0x7ffcde44a8e0 T0)
==15==The signal is caused by a WRITE memory access.
    #0 0x455b24 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) (/src/libyaml_dumper_fuzzer+0x455b24)
    #1 0x4cfa35 in free (/src/libyaml_dumper_fuzzer+0x4cfa35)
    #2 0x50664f in yaml_free /src/libyaml/src/api.c:53:14
    #3 0x51294b in yaml_document_delete /src/libyaml/src/api.c:1148:5
    #4 0x505ecb in LLVMFuzzerTestOneInput /src/libyaml_dumper_fuzzer.c:308:5
    #5 0x43b543 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/src/libyaml_dumper_fuzzer+0x43b543)
    #6 0x42570e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/src/libyaml_dumper_fuzzer+0x42570e)
    #7 0x42b692 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/src/libyaml_dumper_fuzzer+0x42b692)
    #8 0x454e32 in main (/src/libyaml_dumper_fuzzer+0x454e32)
    #9 0x7e2ffe7e2082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #10 0x41f8bd in _start (/src/libyaml_dumper_fuzzer+0x41f8bd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/src/libyaml_dumper_fuzzer+0x455b24) in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType)
==15==ABORTING

POC

libyaml_crash.txt

Credit

Reported by Yifan Zhang, PLL