libyaml: Fix yaml_write_handler return values #11818
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See #11811
libyaml expects 1 for success and 0 for failure.
https://github.com/yaml/libyaml/blob/master/src/writer.c#L53-L62
The logic is currently reverse, which (in combination of the failing check for the yaml_emitter_dump return value) caused several wrong bug reports and a CVE.
The fuzzer programs just ignore the failing yaml_emitter_dump, and so I assume it never appeared as a problem. Only in the cases where the wrongly called yaml_emitter_close ran into a case where it popped from an empty stack an overflow was detected.
The input YAML in question just had a lot of nested sequences in the form
which in canonical output mode resulted in a large output because of the indentation, and so the buffer flush was triggered before the emitter finished:
In the most cases the YAML is simply too small to produce the error because the flush happened when the output was complete.
Note that this does not yet fix the missing error handling of
yaml_emitter_dump
in libyaml_dumper_fuzzer.c etc.