Closed HotSpurzzZ closed 4 months ago
I assume this is the same as #258 I couldn't find an input file to reproduce in this issue.
Closing as a duplicate of #258 and caused by a problem in the fuzztesting code, fixed here: https://github.com/google/oss-fuzz/pull/11818
When using libfuzzer to fuzz the dumper, a heap overflow was found, this can reproduce on the lattest commit. When trying to dereference a pointer: (*(--(stack).top)), , the status of the stack is not checked, resulting in an overflow.
Version
POC file
https://github.com/HotSpurzzZ/testcases/blob/main/libyaml/libyaml_heap_overflow
Verification steps
Compile and run the following file https://github.com/google/oss-fuzz/blob/master/projects/libyaml/libyaml_dumper_fuzzer.c clang -g -fsanitize=address,fuzzer -O0 -I ./src/ -Iinclude -c libyaml_dumper_fuzzer.c -o dumper_fuzzer.o clang++ -g -fsanitize=address,fuzzer -O0 dumper_fuzzer.o -o dumper_fuzzer src/.libs/libyaml.a
AddressSanitizer output