Segmentation fault in fy_path_expr_execute

[gabe-sherman]

A segmentation fault occurs at line 5004 in fy-walk.c when the below code is provided a malformed input. This occurs when fy_path_expr_execute is invoked, leading to a member access within a null pointer.

#include <stdarg.h>
#include <string.h>
#include <libfyaml.h>

int main(int argc, char *argv[])
{
   struct fy_document* doc = fy_document_build_from_file(NULL, argv[1]);

   int fy_emit_document_to_fileval1 = fy_emit_document_to_file(doc, FYECF_MODE_JSON, "/tmp/file");

   struct fy_node* node = fy_node_build_from_file(doc, "/tmp/file");

   fy_node_by_path(node, "/t", strlen("/t"), FYNWF_PTR_YPATH);
}

Test Environment

Ubuntu 22.04, 64bit

How to trigger

./filename poc

Version

Latest: 592ccc1

POC File

https://github.com/gabe-sherman/bug-pocs/blob/main/fyaml/c6

Address Sanitizer Output

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1088188==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x5555558f8bb7 bp 0x7fffffffd410 sp 0x7fffffffd300 T0)
==1088188==The signal is caused by a READ memory access.
==1088188==Hint: address points to the zero page.
    #0 0x5555558f8bb7 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5004:19
    #1 0x5555558f8b00 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:4814:13
    #2 0x5555558f9b16 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:4938:12
    #3 0x5555558fbd32 in fy_path_exec_execute_internal /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5057:8
    #4 0x5555558fbd32 in fy_path_exec_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5078:9
    #5 0x5555558fe712 in fy_node_alias_resolve_by_ypath_result /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5402:7
    #6 0x5555558feee0 in fy_node_alias_resolve_by_ypath /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5442:8
    #7 0x5555558f8946 in fy_path_expr_execute_single_result /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:3590:10
    #8 0x5555558f8946 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:4614:11
    #9 0x5555558f93f2 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:4642:13
    #10 0x5555558fbd32 in fy_path_exec_execute_internal /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5057:8
    #11 0x5555558fbd32 in fy_path_exec_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5078:9
    #12 0x5555558ff36c in fy_node_by_ypath_result /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5514:7
    #13 0x5555558ff83e in fy_node_by_ypath /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5557:8
    #14 0x55555575e603 in fy_node_by_path /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-doc.c:4457:10
    #15 0x555555744253 in main /home/gabriel/fuzzing-trials/fyaml/crashes/c6/rep.c:13:4
    #16 0x7ffff765ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #17 0x7ffff765ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #18 0x55555566b3a4 in _start (/home/gabriel/fuzzing-trials/fyaml/crashes/c6/r.out+0x1173a4) (BuildId: c0adbfbf25c5bbd85cd73468c7b07d69a77af2fb)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5004:19 in fy_path_expr_execute
==1088188==ABORTING