search

pantoniou / libfyaml

Fully feature complete YAML parser and emitter, supporting the latest YAML spec and passing the full YAML testsuite.
MIT License
239 stars 73 forks source link

Segmentation Fault in list_empty upon malformed input #107

Closed gabe-sherman closed 1 month ago

gabe-sherman commented 3 months ago

I am an undergraduate student exploring automatic harness generation for open source API's. I found a segmentation fault that occurs in list_empty upon a malformed input. The program this occurs in is below:

#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#include <stdlib.h>
#include "libfyaml.h"

int main(int argc, char *argv[])
{
   struct fy_document* v0 = fy_document_create(NULL);
   if (!v0) exit(EXIT_FAILURE);
   struct fy_node* v1 = fy_node_build_from_file(v0, argv[1]);
   return 0;
}

Test Environment

Ubuntu 22.04, 64bit

How to trigger

./filename poc

Version

Latest: 1f520e6717113136763cd4485bebfb51fde6a41e

POC File

https://github.com/FuturesLab/POC/blob/main/fyaml/poc-01

Address Sanitizer Output

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:1368:51 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3364649==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x55555572142b bp 0x000000000001 sp 0x7fffffffbb70 T0)
==3364649==The signal is caused by a READ memory access.
==3364649==Hint: address points to the zero page.
    #0 0x55555572142b in list_empty /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/util/fy-list.h:198:20
    #1 0x55555572142b in fy_node_pair_list_empty /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.h:54:1
    #2 0x55555572142b in fy_node_pair_list_head /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.h:54:1
    #3 0x55555572537c in fy_node_mapping_get_pair_index /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:1368:22
    #4 0x5555557233e7 in fy_node_mapping_sort_cmp_default /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:5825:10
    #5 0x5555556badbb in qsort_r (/home/gabesherman/harness_test/AutoHarn-Results/fyaml/autoharn-01/harness+0x166dbb) (BuildId: 738b775c2033ed05aecfab23edb7345df370ad68)
    #6 0x55555572450e in fy_node_mapping_perform_sort /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:5875:2
    #7 0x5555557227da in fy_node_compare_user /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:1244:3
    #8 0x5555557251c8 in fy_node_compare /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:1284:9
    #9 0x5555557251c8 in fy_node_mapping_lookup_pair /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:1353:8
    #10 0x555555757a6c in fy_node_mapping_key_is_duplicate /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:1380:9
    #11 0x555555757a6c in fy_parse_document_load_mapping /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:1647:16
    #12 0x555555726b9b in fy_parse_document_load_node /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:1769:9
    #13 0x555555741a6b in fy_document_load_node /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:5082:7
    #14 0x555555741a6b in fy_node_build_internal /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:5132:8
    #15 0x55555574260c in fy_node_build_from_file /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:5197:9
    #16 0x555555717215 in main /home/gabesherman/harness_test/AutoHarn-Results/fyaml/autoharn-01/harness.c:18:50
    #17 0x7ffff7c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #18 0x7ffff7c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #19 0x5555556593e4 in _start (/home/gabesherman/harness_test/AutoHarn-Results/fyaml/autoharn-01/harness+0x1053e4) (BuildId: 738b775c2033ed05aecfab23edb7345df370ad68)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/util/fy-list.h:198:20 in list_empty
==3364649==ABORTING
pantoniou commented 1 month ago

Thanks, fixed by fff2e6061ea489581740a72f23466ca5bbaedf1c