Add test for issue 530

src/changes/changes.xml

@@ -7,7 +7,7 @@
     <body>
         <release version="1.31" date="in Git" description="Maintenance">
             <action dev="asomov" type="fix" issue="529">
-                Show proper error message for invalid float scalar (detected by OSS-Fuzz)
+                Show proper error message for invalid !!float and !!int scalar (detected by OSS-Fuzz)
             </action>
             <action dev="asomov" type="fix" issue="525">
                 Restrict nested depth for collections to avoid DoS attacks (detected by OSS-Fuzz)

src/main/java/org/yaml/snakeyaml/Yaml.java

@@ -636,6 +636,20 @@ public void addImplicitResolver(Tag tag, Pattern regexp, String first) {
         resolver.addImplicitResolver(tag, regexp, first);
     }
 
+    /**
+     * Add an implicit scalar detector. If an implicit scalar value matches the
+     * given regexp, the corresponding tag is assigned to the scalar.
+     *
+     * @param tag    tag to assign to the node
+     * @param regexp regular expression to match against
+     * @param first  a sequence of possible initial characters or null (which means
+     *               any).
+     * @param limit the max length of the value which may match the regular expression
+     */
+    public void addImplicitResolver(Tag tag, Pattern regexp, String first, int limit) {
+        resolver.addImplicitResolver(tag, regexp, first, limit);
+    }
+
     @Override
     public String toString() {
         return name;

src/main/java/org/yaml/snakeyaml/resolver/Resolver.java

@@ -63,37 +63,40 @@ public class Resolver {
     protected Map<Character, List<ResolverTuple>> yamlImplicitResolvers = new HashMap<Character, List<ResolverTuple>>();
 
     protected void addImplicitResolvers() {
-        addImplicitResolver(Tag.BOOL, BOOL, "yYnNtTfFoO");
+        addImplicitResolver(Tag.BOOL, BOOL, "yYnNtTfFoO", 10);
         /*
          * INT must be before FLOAT because the regular expression for FLOAT
          * matches INT (see issue 130)
          * http://code.google.com/p/snakeyaml/issues/detail?id=130
          */
-        addImplicitResolver(Tag.INT, INT, "-+0123456789");
-        addImplicitResolver(Tag.FLOAT, FLOAT, "-+0123456789.");
-        addImplicitResolver(Tag.MERGE, MERGE, "<");
-        addImplicitResolver(Tag.NULL, NULL, "~nN\0");
-        addImplicitResolver(Tag.NULL, EMPTY, null);
-        addImplicitResolver(Tag.TIMESTAMP, TIMESTAMP, "0123456789");
+        addImplicitResolver(Tag.INT, INT, "-+0123456789", 100);
+        addImplicitResolver(Tag.FLOAT, FLOAT, "-+0123456789.", 100);
+        addImplicitResolver(Tag.MERGE, MERGE, "<", 100);
+        addImplicitResolver(Tag.NULL, NULL, "~nN\0", 10);
+        addImplicitResolver(Tag.NULL, EMPTY, null, 10);
+        addImplicitResolver(Tag.TIMESTAMP, TIMESTAMP, "0123456789", 50);
         // The following implicit resolver is only for documentation
         // purposes.
         // It cannot work
         // because plain scalars cannot start with '!', '&', or '*'.
-        addImplicitResolver(Tag.YAML, YAML, "!&*");
+        addImplicitResolver(Tag.YAML, YAML, "!&*", 10);
     }
 
     public Resolver() {
         addImplicitResolvers();
     }
 
     public void addImplicitResolver(Tag tag, Pattern regexp, String first) {
+        addImplicitResolver(tag, regexp, first, 1024);
+    }
+    public void addImplicitResolver(Tag tag, Pattern regexp, String first, int limit) {
         if (first == null) {
             List<ResolverTuple> curr = yamlImplicitResolvers.get(null);
             if (curr == null) {
                 curr = new ArrayList<ResolverTuple>();
                 yamlImplicitResolvers.put(null, curr);
             }
-            curr.add(new ResolverTuple(tag, regexp));
+            curr.add(new ResolverTuple(tag, regexp, limit));
         } else {
             char[] chrs = first.toCharArray();
             for (int i = 0, j = chrs.length; i < j; i++) {
@@ -107,7 +110,7 @@ public void addImplicitResolver(Tag tag, Pattern regexp, String first) {
                     curr = new ArrayList<ResolverTuple>();
                     yamlImplicitResolvers.put(theC, curr);
                 }
-                curr.add(new ResolverTuple(tag, regexp));
+                curr.add(new ResolverTuple(tag, regexp, limit));
             }
         }
     }
@@ -124,7 +127,7 @@ public Tag resolve(NodeId kind, String value, boolean implicit) {
                 for (ResolverTuple v : resolvers) {
                     Tag tag = v.getTag();
                     Pattern regexp = v.getRegexp();
-                    if (regexp.matcher(value).matches()) {
+                    if (value.length() < v.getLimit() && regexp.matcher(value).matches()) {
                         return tag;
                     }
                 }

src/main/java/org/yaml/snakeyaml/resolver/ResolverTuple.java

@@ -22,10 +22,12 @@
 final class ResolverTuple {
     private final Tag tag;
     private final Pattern regexp;
+    private final int limit;
 
-    public ResolverTuple(Tag tag, Pattern regexp) {
+    public ResolverTuple(Tag tag, Pattern regexp, int limit) {
         this.tag = tag;
         this.regexp = regexp;
+        this.limit = limit;
     }
 
     public Tag getTag() {
@@ -36,6 +38,10 @@ public Pattern getRegexp() {
         return regexp;
     }
 
+    public int getLimit() {
+        return limit;
+    }
+
     @Override
     public String toString() {
         return "Tuple tag=" + tag + " regexp=" + regexp;

src/test/java/org/yaml/snakeyaml/issues/issue431/FlexSimleKeyTest.java

@@ -26,7 +26,7 @@
 
 public class FlexSimleKeyTest extends TestCase {
 
-    private int len = 130;
+    private int len = 90;
 
     public void testLongKey() {
         Yaml dumper = new Yaml(createOptions(len));

src/test/java/org/yaml/snakeyaml/issues/issue530/Fuzzy47039Test.java

@@ -0,0 +1,36 @@
+/**
+ * Copyright (c) 2008, SnakeYAML
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.yaml.snakeyaml.issues.issue530;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.Test;
+import org.yaml.snakeyaml.LoaderOptions;
+import org.yaml.snakeyaml.Util;
+import org.yaml.snakeyaml.Yaml;
+
+// Stackoverflow [OSS-Fuzz - 47039]
+public class Fuzzy47039Test {
+
+  @Test
+  public void parseKeyIndicators_47039() {
+    LoaderOptions options = new LoaderOptions();
+    Yaml yaml = new Yaml(options);
+    String strYaml = Util.getLocalResource("fuzzer/YamlFuzzer-5110034188599296");
+    String parsed = yaml.load(strYaml);
+    assertEquals(strYaml.trim(), parsed);
+  }
+}

src/test/java/org/yaml/snakeyaml/resolver/ResolverTupleTest.java

@@ -24,7 +24,7 @@
 public class ResolverTupleTest extends TestCase {
 
     public void testToString() {
-        ResolverTuple tuple = new ResolverTuple(new Tag("dice"), Pattern.compile("\\d+"));
+        ResolverTuple tuple = new ResolverTuple(new Tag("dice"), Pattern.compile("\\d+"), 5);
         assertEquals("Tuple tag=dice regexp=\\d+", tuple.toString());
     }
 }