Ruby 1.8

The Syck-based YAML implementation shipped with Ruby can produce invalid output that it itself cannot parse or segfaults on. This was discovered by Markus Roberts from the team[1] creating ZAML[2], a fast YAML serialization library for Ruby.

For example, the following code supplied by Markus will cause Ruby to fail with a segmentation fault:

  require 'yaml'
  YAML.load("--- &-&-\000")

1.8.6-p287 fails with:
/home/igal/mtmp/ruby-1.8.6-p287/prefix/lib/ruby/1.8/yaml.rb:133: [BUG] Segmentation fault
ruby 1.8.6 (2008-08-11) [i686-linux]

1.8.7-p72 fails with:
/home/igal/mtmp/ruby-1.8.7-p72/prefix/lib/ruby/1.8/yaml.rb:133: [BUG] Segmentation fault
ruby 1.8.7 (2008-08-11 patchlevel 72) [i686-linux]

1.9.1-rc1 fails with:
*** glibc detected *** irb: double free or corruption (fasttop): 0x085309a0 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7d97a85]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7d9b4f0]
/home/igal/mtmp/ruby-1.9.1-rc1/prefix/lib/ruby/1.9.1/i686-linux/syck.so(syck_free_node+0x56)[0xb7c5c076]
/home/igal/mtmp/ruby-1.9.1-rc1/prefix/lib/ruby/1.9.1/i686-linux/syck.so(syck_hdlr_add_node+0x60)[0xb7c58aa0]
/home/igal/mtmp/ruby-1.9.1-rc1/prefix/lib/ruby/1.9.1/i686-linux/syck.so(syckparse+0xb0c)[0xb7c581cc]
/home/igal/mtmp/ruby-1.9.1-rc1/prefix/lib/ruby/1.9.1/i686-linux/syck.so(syck_parse+0x32)[0xb7c55af2]
/home/igal/mtmp/ruby-1.9.1-rc1/prefix/lib/ruby/1.9.1/i686-linux/syck.so(syck_parser_load+0x112)[0xb7c50d12]
...

There are apparently other YAML documents that cause similar problems. Members of the ZAML team will comment further on this bug report to provide additional examples.

[1] ZAML's mailing list: http://groups.google.com/group/zaml
[2] ZAML's source code: http://github.com/hallettj/zaml/tree/master/