v3: yaml.Unmarshal() crashes on "#\n - - QI\xd7"

[rhysd]

Hi,

I'm making a tool with yaml.v3 package recently.

Today, I tried fuzzing added to Go as beta and found a crash issue.

Repro

package main

import (
	"fmt"

	"gopkg.in/yaml.v3"
)

func main() {
	in := "#\n - - QI\xd7"

	var n yaml.Node
	if err := yaml.Unmarshal([]byte(in), &n); err != nil {
		fmt.Println(err)
	}
}

1. Save the code as main.go
2. Compile it with go build main.go
3. Run ./main

Expected behavior

It runs without crash

Actual behavior

Crashed

panic: runtime error: invalid memory address or nil pointer dereference [recovered]
        panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x10e14c2]

goroutine 1 [running]:
gopkg.in/yaml%2ev3.handleErr(0xc0000c7f50)
        /Users/rhysd/Develop/github.com/go-yaml/yaml/yaml.go:294 +0x8d
panic(0x110fe20, 0x11eb9b0)
        /usr/local/Cellar/go/1.16.4/libexec/src/runtime/panic.go:965 +0x1b9
gopkg.in/yaml%2ev3.yaml_parser_split_stem_comment(0xc0000e6000, 0x1)
        /Users/rhysd/Develop/github.com/go-yaml/yaml/parserc.go:789 +0x42
gopkg.in/yaml%2ev3.yaml_parser_parse_block_sequence_entry(0xc0000e6000, 0xc0000e62b0, 0xc0000c7c01, 0x10d4ce5)
        /Users/rhysd/Develop/github.com/go-yaml/yaml/parserc.go:703 +0xf9
gopkg.in/yaml%2ev3.yaml_parser_state_machine(0xc0000e6000, 0xc0000e62b0, 0x0)
        /Users/rhysd/Develop/github.com/go-yaml/yaml/parserc.go:179 +0x256
gopkg.in/yaml%2ev3.yaml_parser_parse(0xc0000e6000, 0xc0000e62b0, 0xc0000bc460)
        /Users/rhysd/Develop/github.com/go-yaml/yaml/parserc.go:129 +0x95
gopkg.in/yaml%2ev3.(*parser).peek(0xc0000e6000, 0x7)
        /Users/rhysd/Develop/github.com/go-yaml/yaml/decode.go:103 +0x45
gopkg.in/yaml%2ev3.(*parser).sequence(0xc0000e6000, 0x7)
        /Users/rhysd/Develop/github.com/go-yaml/yaml/decode.go:258 +0xe5
gopkg.in/yaml%2ev3.(*parser).parse(0xc0000e6000, 0xc000000003)
        /Users/rhysd/Develop/github.com/go-yaml/yaml/decode.go:154 +0xe7
gopkg.in/yaml%2ev3.(*parser).parseChild(...)
        /Users/rhysd/Develop/github.com/go-yaml/yaml/decode.go:194
gopkg.in/yaml%2ev3.(*parser).document(0xc0000e6000, 0x11f3b03)
        /Users/rhysd/Develop/github.com/go-yaml/yaml/decode.go:203 +0x8b
gopkg.in/yaml%2ev3.(*parser).parse(0xc0000e6000, 0x0)
        /Users/rhysd/Develop/github.com/go-yaml/yaml/decode.go:156 +0x87
gopkg.in/yaml%2ev3.unmarshal(0xc0000ae560, 0xa, 0x10, 0x111b900, 0xc0000bc320, 0x0, 0x0, 0x0)
        /Users/rhysd/Develop/github.com/go-yaml/yaml/yaml.go:161 +0x26a
gopkg.in/yaml%2ev3.Unmarshal(...)
        /Users/rhysd/Develop/github.com/go-yaml/yaml/yaml.go:89
main.main()
        /Users/rhysd/Develop/github.com/go-yaml/yaml/tmp/test.go:13 +0x9a

Environment

• OS: macOS 10.15
• Go: tip
• yaml: 496545a

Note

I have a fuzzing test case for yaml.v3 which found this crash. If you want it, I'll happily make a PR to add the test case. Please let me know if the fuzzing script sounds useful.

[itchyny]

Duplicate of #665?

[rhysd]

Oh, it might be. Thanks @itchyny for pointing that. The input "#\n-\n-\n0" is similar to the input of this issue. But I'm not confident that they are exactly the same issue. I want to have maintainer look at the crash detail 😄

[niemeyer]

Duplicate of #665?

Indeed. Fixed and commented there.