heap-buffer-overflow in yaml_emitter_emit_flow_mapping_key

[nora-pxh]

In the current version (0.2.5) use the following file to run fuzz.
https://github.com/google/oss-fuzz/blob/master/projects/libyaml/libyaml_dumper_fuzzer.c

==738353==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000001fc at pc 0x000000576848 bp 0x7ffe5e32e140 sp 0x7ffe5e32e138
READ of size 4 at 0x6060000001fc thread T0
SCARINESS: 17 (4-byte-read-heap-buffer-overflow)
#0 0x576847 in yaml_emitter_emit_flow_mapping_key /src/libyaml/src/emitter.c:810:27
# 1 0x574046 in yaml_emitter_state_machine /src/libyaml/src/emitter.c
# 2 0x57349e in yaml_emitter_emit /src/libyaml/src/emitter.c:291:14
# 3 0x564e9d in yaml_emitter_close /src/libyaml/src/dumper.c:98:10
# 4 0x55798b in LLVMFuzzerTestOneInput /src/libyaml_dumper_fuzzer.c:268:3
# 5 0x45ae53 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
# 6 0x4465c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
# 7 0x44c28e in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
# 8 0x475d42 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
# 9 0x7fa008cc8b26 in __libc_start_main (/lib64/libc.so.6+0x25b26)
# 10 0x422069 in _start (/opt/oss-fuzz/build/out/libyaml/libyaml_dumper_fuzzer+0x422069)

DEDUP_TOKEN: yaml_emitter_emit_flow_mapping_key--yaml_emitter_state_machine--yaml_emitter_emit
0x6060000001fc is located 4 bytes to the left of 64-byte region [0x606000000200,0x606000000240)
allocated by thread T0 here:
#0 0x52207d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
# 1 0x557eec in yaml_malloc /src/libyaml/src/api.c:33:12
# 2 0x559dfd in yaml_emitter_initialize /src/libyaml/src/api.c:368:10
# 3 0x557757 in LLVMFuzzerTestOneInput /src/libyaml_dumper_fuzzer.c:226:8
# 4 0x45ae53 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
# 5 0x4465c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
# 6 0x44c28e in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
# 7 0x475d42 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
# 8 0x7fa008cc8b26 in __libc_start_main (/lib64/libc.so.6+0x25b26)

[perlpunk]

I think this is likely the same as #258 and caused by issues with the fuzzer code.

[perlpunk]

Closing as a duplicate of #258 (strictly 258 is a duplicate of this one, yes) and caused not by a libyaml bug, but by a problem in the fuzztesting code, fixed here: google/oss-fuzz#11818