Project

General

Profile

Bug #990

YAML::load segfaults

Added by igal (Igal Koshevoy) almost 11 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
-
ruby -v:
1.8.6-p287
[ruby-core:21210]

Description

=begin
The Syck-based YAML implementation shipped with Ruby can produce invalid output that it itself cannot parse or segfaults on. This was discovered by Markus Roberts from the team[1] creating ZAML[2], a fast YAML serialization library for Ruby.

For example, the following code supplied by Markus will cause Ruby to fail with a segmentation fault:

require 'yaml'
YAML.load("--- &-&-\000")

1.8.6-p287 fails with:
/home/igal/mtmp/ruby-1.8.6-p287/prefix/lib/ruby/1.8/yaml.rb:133: [BUG] Segmentation fault
ruby 1.8.6 (2008-08-11) [i686-linux]

1.8.7-p72 fails with:
/home/igal/mtmp/ruby-1.8.7-p72/prefix/lib/ruby/1.8/yaml.rb:133: [BUG] Segmentation fault
ruby 1.8.7 (2008-08-11 patchlevel 72) [i686-linux]

1.9.1-rc1 fails with:
*** glibc detected *** irb: double free or corruption (fasttop): 0x085309a0 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7d97a85]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7d9b4f0]
/home/igal/mtmp/ruby-1.9.1-rc1/prefix/lib/ruby/1.9.1/i686-linux/syck.so(syck_free_node+0x56)[0xb7c5c076]
/home/igal/mtmp/ruby-1.9.1-rc1/prefix/lib/ruby/1.9.1/i686-linux/syck.so(syck_hdlr_add_node+0x60)[0xb7c58aa0]
/home/igal/mtmp/ruby-1.9.1-rc1/prefix/lib/ruby/1.9.1/i686-linux/syck.so(syckparse+0xb0c)[0xb7c581cc]
/home/igal/mtmp/ruby-1.9.1-rc1/prefix/lib/ruby/1.9.1/i686-linux/syck.so(syck_parse+0x32)[0xb7c55af2]
/home/igal/mtmp/ruby-1.9.1-rc1/prefix/lib/ruby/1.9.1/i686-linux/syck.so(syck_parser_load+0x112)[0xb7c50d12]
...

There are apparently other YAML documents that cause similar problems. Members of the ZAML team will comment further on this bug report to provide additional examples.

[1] ZAML's mailing list: http://groups.google.com/group/zaml
[2] ZAML's source code: http://github.com/hallettj/zaml/tree/master/
=end

History

#1

Updated by mboeh (Matthew Boeh) almost 11 years ago

=begin
Igal, you said Syck will generate output it will fail or segfault on -- do you have an example of YAML.dump generating such a string?

My own investigations indicate that the issue is a general one with having two anchor labels on a line:

orz% cat pow.yml
vux:
vux
orz: &b &c
orz
orz% ruby -ryaml -e "YAML.load(File.read('pow.yml'))"

That segfaults.
=end

#2

Updated by ko1 (Koichi Sasada) almost 11 years ago

  • Assignee set to shyouhei (Shyouhei Urabe)
  • ruby -v set to 1.8.6-p287

=begin

=end

#3

Updated by shyouhei (Shyouhei Urabe) about 9 years ago

  • Status changed from Open to Assigned

=begin

=end

#4

Updated by shyouhei (Shyouhei Urabe) almost 3 years ago

  • Status changed from Assigned to Closed

Also available in: Atom PDF