segmentation fault in fy-doc.c

[gabe-sherman]

A segmentation fault occurs at line 4944 in fy-doc.c when the below code is provided a malformed input. This occurs when fy_node_get_path_relative_to is invoked, leading to a dereference of a high value address.

#include <stdarg.h>
#include <string.h>
#include <libfyaml.h>

int main(int argc, char *argv[])
{
   struct fy_document* doc = fy_document_build_from_file(NULL, argv[1]);

   int fy_emit_document_to_fileval1 = fy_emit_document_to_file(doc, FYECF_MODE_JSON, "/tmp/file");

   struct fy_node* node = fy_node_build_from_file(doc, "/tmp/file");

   fy_node_by_path(node, "/t", strlen("/t"), FYNWF_PTR_YPATH);
}

Test Environment

Ubuntu 22.04, 64bit

How to trigger

./filename poc

Version

Latest: 592ccc1

POC File

https://github.com/gabe-sherman/bug-pocs/blob/main/fyaml/c5

Address Sanitizer Output

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1047588==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x55555576d1c1 bp 0x7fffffffd250 sp 0x7fffffffd1c0 T0)
==1047588==The signal is caused by a READ memory access.
==1047588==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x55555576d1c1 in fy_node_get_path_relative_to /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-doc.c:4944:45
    #1 0x5555558f6e28 in fy_walk_result_perform_set_op /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:4483:19
    #2 0x5555558f8ca4 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5019:12
    #3 0x5555558f8b56 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:4815:13
    #4 0x5555558f8b00 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:4814:13
    #5 0x5555558fbd32 in fy_path_exec_execute_internal /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5057:8
    #6 0x5555558fbd32 in fy_path_exec_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5078:9
    #7 0x5555558fe712 in fy_node_alias_resolve_by_ypath_result /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5402:7
    #8 0x5555558feee0 in fy_node_alias_resolve_by_ypath /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5442:8
    #9 0x5555558f8946 in fy_path_expr_execute_single_result /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:3590:10
    #10 0x5555558f8946 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:4614:11
    #11 0x5555558f93f2 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:4642:13
    #12 0x5555558fbd32 in fy_path_exec_execute_internal /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5057:8
    #13 0x5555558fbd32 in fy_path_exec_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5078:9
    #14 0x5555558ff36c in fy_node_by_ypath_result /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5514:7
    #15 0x5555558ff83e in fy_node_by_ypath /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5557:8
    #16 0x55555575e603 in fy_node_by_path /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-doc.c:4457:10
    #17 0x555555744253 in main /home/gabriel/fuzzing-trials/fyaml/crashes/c5/rep.c:13:4
    #18 0x7ffff765ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #19 0x7ffff765ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #20 0x55555566b3a4 in _start (/home/gabriel/fuzzing-trials/fyaml/crashes/c5/r.out+0x1173a4) (BuildId: 3e6971e0c0743abf9d7dc74129a0231168459f13)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-doc.c:4944:45 in fy_node_get_path_relative_to
==1047588==ABORTING