Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yaml.Unmarshal crashes on "assignment to entry in nil map" #529

Closed
mikedanese opened this issue Oct 21, 2019 · 1 comment · Fixed by kubernetes-sigs/yaml#29
Closed

yaml.Unmarshal crashes on "assignment to entry in nil map" #529

mikedanese opened this issue Oct 21, 2019 · 1 comment · Fixed by kubernetes-sigs/yaml#29

Comments

@mikedanese
Copy link

Input:

&8:
<<:
 - *8

8:
( :
 &8
 *8:
<<:
 - *8

Repro on playground:

https://play.golang.org/p/5kggj6uaRFq

panic: assignment to entry in nil map [recovered]
	panic: assignment to entry in nil map

goroutine 1 [running]:
gopkg.in/yaml%2ev2.handleErr(0x42bf78, 0x2d9c0)
	/tmp/gopath217967956/pkg/mod/gopkg.in/yaml.v2@v2.2.4/yaml.go:249 +0xc0
panic(0x179f40, 0x1e2bd8)
	/usr/local/go/src/runtime/panic.go:679 +0x240
reflect.mapassign(0x176520, 0x0, 0x40c210, 0x40c218)
	/usr/local/go/src/runtime/map.go:1329 +0x40
reflect.Value.SetMapIndex(0x176520, 0x40c1c0, 0x195, 0x175ba0, 0x40c210, 0x198, 0x1754a0, 0x40c218, 0x194, 0x29fb)
	/usr/local/go/src/reflect/value.go:1679 +0x200
gopkg.in/yaml%2ev2.(*decoder).setMapIndex(0x43c240, 0x432fc0, 0x176520, 0x40c1c0, 0x195, 0x175ba0, 0x40c210, 0x198, 0x1754a0, 0x40c218, ...)
	/tmp/gopath217967956/pkg/mod/gopkg.in/yaml.v2@v2.2.4/decode.go:686 +0x280
gopkg.in/yaml%2ev2.(*decoder).mapping(0x43c240, 0x432e00, 0x176520, 0x40c1c0, 0x195, 0x472404, 0x176520, 0x40c1c0)
	/tmp/gopath217967956/pkg/mod/gopkg.in/yaml.v2@v2.2.4/decode.go:673 +0x600
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0x43c240, 0x432e00, 0x176520, 0x40c1c0, 0x195, 0x29fb, 0x472300, 0x4)
	/tmp/gopath217967956/pkg/mod/gopkg.in/yaml.v2@v2.2.4/decode.go:368 +0x1e0
gopkg.in/yaml%2ev2.(*decoder).document(0x43c240, 0x432dc0, 0x176520, 0x40c1c0, 0x195, 0x472404, 0x432dc0, 0x432e00)
	/tmp/gopath217967956/pkg/mod/gopkg.in/yaml.v2@v2.2.4/decode.go:380 +0xa0
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0x43c240, 0x432dc0, 0x176520, 0x40c1c0, 0x195, 0x40c1c0, 0x195, 0x446540)
	/tmp/gopath217967956/pkg/mod/gopkg.in/yaml.v2@v2.2.4/decode.go:356 +0x280
gopkg.in/yaml%2ev2.unmarshal(0x45c030, 0x2a, 0x2a, 0x16b880, 0x40c1c0, 0x0, 0x0, 0x0)
	/tmp/gopath217967956/pkg/mod/gopkg.in/yaml.v2@v2.2.4/yaml.go:148 +0x3c0
gopkg.in/yaml%2ev2.Unmarshal(...)
	/tmp/gopath217967956/pkg/mod/gopkg.in/yaml.v2@v2.2.4/yaml.go:81
main.main()
	/tmp/sandbox393049481/prog.go:24 +0x120

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18372
@liggitt liggitt mentioned this issue Nov 4, 2019
Closed
niemeyer added a commit that referenced this issue Nov 4, 2019
@niemeyer
Fix check for non-map alias merging in v2 (#529)
f90ceb4 
The problem does not affect v3.
@niemeyer
Copy link
Contributor

niemeyer commented Nov 4, 2019

Thanks for the report.

This is a bug in the error checking logic on the merge directive handling of aliases. The v3 branch is not affected by this problem.

Here is the cleaned up test case:

a: &x null
<<:
 - *x
b: &x {}

It's fixed with f90ceb4, tagged v2.2.5.

@niemeyer niemeyer closed this as completed Nov 4, 2019
thaJeztah added a commit to thaJeztah/yaml that referenced this issue Nov 28, 2019
@thaJeztah
Update gopkg.in/yaml.v2 to v2.2.7 (CVE-2019-11253)
2f29778 
full diff: go-yaml/yaml@v2.2.2...v2.2.7

includes:

- go-yaml/yaml@caeefd8
  addresses CVE-2019-11253 JSON/YAML parsing vulnerable to resource exhaustion attack
- go-yaml/yaml#171 Tighten restrictions on float decoding
- go-yaml/yaml#515 Add large document benchmarks, tune alias heuristic, add max depth limits
- go-yaml/yaml@f90ceb4
  fixes go-yaml/yaml#529 yaml.Unmarshal crashes on "assignment to entry in nil map"
- go-yaml/yaml#543 Port stale simple_keys fix to v2
- go-yaml/yaml@1f64d61
  fixes go-yaml/yaml#548 Invalid simple_keys now cause panics later in decode

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah added a commit to thaJeztah/yaml that referenced this issue Nov 28, 2019
@thaJeztah
Update gopkg.in/yaml.v2 to v2.2.7 (CVE-2019-11253)
91bdfd9 
full diff: go-yaml/yaml@v2.2.2...v2.2.7

includes:

- go-yaml/yaml@caeefd8
  addresses CVE-2019-11253 JSON/YAML parsing vulnerable to resource exhaustion attack
- go-yaml/yaml#171 Tighten restrictions on float decoding
- go-yaml/yaml#515 Add large document benchmarks, tune alias heuristic, add max depth limits
- go-yaml/yaml@f90ceb4
  fixes go-yaml/yaml#529 yaml.Unmarshal crashes on "assignment to entry in nil map"
- go-yaml/yaml#543 Port stale simple_keys fix to v2
- go-yaml/yaml@1f64d61
  fixes go-yaml/yaml#548 Invalid simple_keys now cause panics later in decode

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah mentioned this issue Nov 28, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@niemeyer @mikedanese