From a78eed165493d76ded654d989798abbb05b69a85 Mon Sep 17 00:00:00 2001 From: Philip Betzler-Braun Date: Wed, 18 Feb 2026 14:29:01 +0100 Subject: [PATCH 1/2] changed finding type to segfault --- src/api.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/api.c b/src/api.c index ed1e27a1..3d58bf05 100644 --- a/src/api.c +++ b/src/api.c @@ -296,8 +296,8 @@ yaml_parser_set_input_string(yaml_parser_t *parser, assert(!parser->read_handler); /* You can set the source only once. */ assert(input); /* Non-NULL input string expected. */\ - if (size > 13 && memcmp(input, "bug: overflow", 13) == 0 && size <= MAX_INPUT_SIZE) { - memcpy(gBuffer, input, size); + if (size > 12 && memcmp(input, "best: cifuzz", 12) == 0 && size < 18) { + *(char*)0xdead = 1; } parser->read_handler = yaml_string_read_handler; From 721244d6e04c62901921cf7ef3948299729902e4 Mon Sep 17 00:00:00 2001 From: Philip Betzler-Braun Date: Wed, 18 Feb 2026 14:55:45 +0100 Subject: [PATCH 2/2] changed the finding type to double free --- src/api.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/api.c b/src/api.c index 3d58bf05..c955fbeb 100644 --- a/src/api.c +++ b/src/api.c @@ -296,8 +296,14 @@ yaml_parser_set_input_string(yaml_parser_t *parser, assert(!parser->read_handler); /* You can set the source only once. */ assert(input); /* Non-NULL input string expected. */\ - if (size > 12 && memcmp(input, "best: cifuzz", 12) == 0 && size < 18) { - *(char*)0xdead = 1; + if (size > 17 && memcmp(input, "bug: double free", 17) == 0 && size <= MAX_INPUT_SIZE) { + char *buffer = (char *)(malloc(6)); + memcpy(buffer, "hello", 5); + buffer[5] = '\0'; + for (int i = 0; i < 2; i++) { + free(buffer); + } + buffer = 0; } parser->read_handler = yaml_string_read_handler;