v3: panic (nil pointer dereference) in parserc.go:789

[bradleyjkemp]

Hi folks 👋🏻 Found this panic while fuzzing my own project.

Minimal example of the panic (https://play.golang.org/p/GV-Lwua6OMA):

package main

import (
	"gopkg.in/yaml.v3"
)

func main() {
	var t interface{}
	yaml.Unmarshal([]byte("#\n-\n-\n0"), &t)
}

Output:

panic: runtime error: invalid memory address or nil pointer dereference [recovered]
	panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x4e52a2]

goroutine 1 [running]:
gopkg.in/yaml%2ev3.handleErr(0xc00008df60)
	/tmp/gopath873735581/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/yaml.go:294 +0x85
panic(0x5149e0, 0x5f4010)
	/usr/local/go-faketime/src/runtime/panic.go:969 +0x1b9
gopkg.in/yaml%2ev3.yaml_parser_split_stem_comment(0xc00013c000, 0x1)
	/tmp/gopath873735581/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/parserc.go:789 +0x42
gopkg.in/yaml%2ev3.yaml_parser_parse_block_sequence_entry(0xc00013c000, 0xc00013c2b0, 0xc00008dd01, 0x4d8b45)
	/tmp/gopath873735581/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/parserc.go:703 +0xf9
gopkg.in/yaml%2ev3.yaml_parser_state_machine(0xc00013c000, 0xc00013c2b0, 0x0)
	/tmp/gopath873735581/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/parserc.go:179 +0x256
gopkg.in/yaml%2ev3.yaml_parser_parse(0xc00013c000, 0xc00013c2b0, 0xc00011a3c0)
	/tmp/gopath873735581/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/parserc.go:129 +0x95
gopkg.in/yaml%2ev3.(*parser).peek(0xc00013c000, 0x7)
	/tmp/gopath873735581/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:103 +0x45
gopkg.in/yaml%2ev3.(*parser).sequence(0xc00013c000, 0x7)
	/tmp/gopath873735581/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:258 +0xe5
gopkg.in/yaml%2ev3.(*parser).parse(0xc00013c000, 0xc000000003)
	/tmp/gopath873735581/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:154 +0xe7
gopkg.in/yaml%2ev3.(*parser).parseChild(...)
	/tmp/gopath873735581/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:194
gopkg.in/yaml%2ev3.(*parser).document(0xc00013c000, 0x3)
	/tmp/gopath873735581/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:203 +0x8b
gopkg.in/yaml%2ev3.(*parser).parse(0xc00013c000, 0x0)
	/tmp/gopath873735581/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:156 +0x87
gopkg.in/yaml%2ev3.unmarshal(0xc000100568, 0x7, 0x7, 0x50a080, 0xc00010a150, 0x0, 0x0, 0x0)
	/tmp/gopath873735581/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/yaml.go:161 +0x26a
gopkg.in/yaml%2ev3.Unmarshal(...)
	/tmp/gopath873735581/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/yaml.go:89
main.main()
	/tmp/sandbox347243958/prog.go:9 +0x93

[sudermanjr]

I had the same issue and had to revert to a5ece68 to fix.

[niemeyer]

This is a good example of "The Billion Dollar Mistake". But to be fair, it only happens here because this is a C-style API that was converted to Go but keeping its general shape. The proper fix, to be done eventually, is to replace all these boolean error flags by proper error types.

[SuperQ]

Is this valid for the v2 library, if yes, can the fix be back-ported into v2? There are a number of outstanding issues that prevent us from switching from v2 to v3.