Bug #990

YAML::load segfaults

Added by igal (Igal Koshevoy) over 11 years ago. Updated over 3 years ago.

Target version:
ruby -v:


The Syck-based YAML implementation shipped with Ruby can produce invalid output that it itself cannot parse or segfaults on. This was discovered by Markus Roberts from the team[1] creating ZAML[2], a fast YAML serialization library for Ruby.

For example, the following code supplied by Markus will cause Ruby to fail with a segmentation fault:

require 'yaml'
YAML.load("--- &-&-\000")

1.8.6-p287 fails with:
/home/igal/mtmp/ruby-1.8.6-p287/prefix/lib/ruby/1.8/yaml.rb:133: [BUG] Segmentation fault
ruby 1.8.6 (2008-08-11) [i686-linux]

1.8.7-p72 fails with:
/home/igal/mtmp/ruby-1.8.7-p72/prefix/lib/ruby/1.8/yaml.rb:133: [BUG] Segmentation fault
ruby 1.8.7 (2008-08-11 patchlevel 72) [i686-linux]

1.9.1-rc1 fails with:
*** glibc detected *** irb: double free or corruption (fasttop): 0x085309a0 ***
======= Backtrace: =========

There are apparently other YAML documents that cause similar problems. Members of the ZAML team will comment further on this bug report to provide additional examples.

[1] ZAML's mailing list:
[2] ZAML's source code:


Updated by mboeh (Matthew Boeh) over 11 years ago

Igal, you said Syck will generate output it will fail or segfault on -- do you have an example of YAML.dump generating such a string?

My own investigations indicate that the issue is a general one with having two anchor labels on a line:

orz% cat pow.yml
orz: &b &c
orz% ruby -ryaml -e "YAML.load('pow.yml'))"

That segfaults.


Updated by ko1 (Koichi Sasada) over 11 years ago

  • Assignee set to shyouhei (Shyouhei Urabe)
  • ruby -v set to 1.8.6-p287




Updated by shyouhei (Shyouhei Urabe) almost 10 years ago

  • Status changed from Open to Assigned




Updated by shyouhei (Shyouhei Urabe) over 3 years ago

  • Status changed from Assigned to Closed

Also available in: Atom PDF