Fix libyaml_emitter_fuzzer: inverted copy_event return value check

[OwenSanzas]

Summary

The libyaml_emitter_fuzzer has an inverted return value check that makes the entire emitter path dead code.

Bug 1: Inverted logic in copy_event check

copy_event() wraps yaml_*_event_initialize() functions, which return 1 on success, 0 on failure (standard libyaml convention). However, the check on line 250:

if (copy_event(&events[event_number++], &event)) {
    yaml_event_delete(&event);
    goto delete_parser;   // error path
}

enters the error path when copy_event succeeds (returns 1). For every valid YAML input, the fuzzer short-circuits on the very first event. The following code is never reached:

• yaml_emitter_emit() — the entire emitter path
• The second parser loop (re-parse emitted output and compare events)
• The events_equal() comparison logic

Roughly 50% of the fuzzer's logic is dead code.

Fix: if (copy_event(...)) → if (!copy_event(...))

Bug 2: Pre-increment causes UB on failure path

event_number++ was inside the copy_event() call as a post-increment. When copy_event fails (returns 0 — rare, OOM only), event_number has already been incremented, but events[old_number] was not initialized. The cleanup loop then calls yaml_event_delete() on an uninitialized event — undefined behavior.

Fix: Move event_number++ to after the success check.

Bug 3: NULL buffer passed to yaml_parser_set_input_string

When the emitter produces no output (e.g., empty YAML stream), out.buf remains NULL. The second parser loop passes this NULL to yaml_parser_set_input_string(), which has assert(input). This was masked by Bug 1 since the second parser loop was never reached.

Fix: Add if (!out.buf || out.size == 0) goto error; before the second parser loop.

Coverage comparison (60 seconds, AddressSanitizer, libFuzzer fork mode)

Metric	Original	Fixed	Change
Edges	166	2479	+1393%
Features	437	10285	+2253%
Corpus	135	2258	+1573%

The ~15x edge coverage increase confirms that the emitter, write handler, and re-parser code paths were entirely dead in the original fuzzer.

[github-actions]

OwenSanzas is a new contributor to projects/libyaml. The PR must be approved by known contributors before it can be merged. The past contributors are: arthurscchan, hunsche, perlpunk, ingydotnet, alex, rjotwani, cvediver, Dor1s, ssbr (unverified), sigmavirus24 (unverified), inferno-chromium (unverified), mikea (unverified)

[DavidKorczynski]

nice! Do you have any estimate for how much overall coverage gain from this? One part is the coverage of the harness itself, but the project overall has very high coverage already: https://storage.googleapis.com/oss-fuzz-coverage/libyaml/reports/20260304/linux/src/report.html

[OwenSanzas]

Thanks! I ran llvm-cov with the developer-provided seed corpus (libyaml/examples/*), coverage sanitizer, 60 seconds each:

Source file	Original	Fixed	OSS-Fuzz (all fuzzers)
api.c	14.12%	47.00%	74.62%
emitter.c	0.00%	70.84%	88.40%
parser.c	3.03%	81.49%	93.60%
reader.c	89.27%	89.70%	94.85%
scanner.c	3.50%	78.21%	95.56%
writer.c	0.00%	81.01%	88.61%
TOTAL	8.58%	71.76%	89.80%

The original emitter fuzzer hits 0% of emitter.c and writer.c — the inverted check kills the emitter path entirely. Other fuzzers already cover most of this code, so the project-level gain is probably small, but at least the emitter fuzzer is now actually doing its job.

[DavidKorczynski]

thanks for the clarifications

[OwenSanzas]

Thanks for the approval!