[BUG] A SEGV in `yaml_free` at `src/api.c:53:14`

## Description

- Version: Latest commit [840b65c](https://github.com/yaml/libyaml/commit/840b65c40675e2d06bf40405ad3f12dec7f35923)
- Environment: Ubuntu 20.04.6 LTS, Clang 12.0.1
- Fuzzing harness: https://github.com/google/oss-fuzz/blob/master/projects/libyaml/libyaml_dumper_fuzzer.c

**Please let me know if you encounter any issues reproducing it — I can upload a Docker image to help.**

## Steps to reproduce

```bash
export CC="clang"
export CXX="clang++"
export CFLAGS="-fsanitize=address -g -O0 -fno-omit-frame-pointer"
export CXXFLAGS="-fsanitize=address -g -O0 -fno-omit-frame-pointer"
export LIB_FUZZING_ENGINE="-fsanitize=fuzzer"
wget https://github.com/google/oss-fuzz/raw/refs/heads/master/projects/libyaml/libyaml_dumper_fuzzer.c
wget https://github.com/google/oss-fuzz/raw/refs/heads/master/projects/libyaml/yaml_write_handler.h
export SRC=$PWD
export OUT=$PWD

./bootstrap
./configure
make "-j$(nproc)"

for fuzzer in $SRC/*_fuzzer.c; do
  fuzzer_basename=$(basename -s .c $fuzzer)

  $CC $CFLAGS \
      -I $SRC -Iinclude \
      -c $fuzzer -o $fuzzer_basename.o

  $CXX $CXXFLAGS \
      -std=c++11 \
      $fuzzer_basename.o \
      -o $OUT/$fuzzer_basename \
      $LIB_FUZZING_ENGINE \
      src/.libs/libyaml.a
done

./libyaml_dumper_fuzzer $POC
```

## Sanitizer output

```

==15==ERROR: AddressSanitizer: SEGV on unknown address 0x00000046a9fe (pc 0x000000455b24 bp 0x000000000000 sp 0x7ffcde44a8e0 T0)
==15==The signal is caused by a WRITE memory access.
    #0 0x455b24 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) (/src/libyaml_dumper_fuzzer+0x455b24)
    #1 0x4cfa35 in free (/src/libyaml_dumper_fuzzer+0x4cfa35)
    #2 0x50664f in yaml_free /src/libyaml/src/api.c:53:14
    #3 0x51294b in yaml_document_delete /src/libyaml/src/api.c:1148:5
    #4 0x505ecb in LLVMFuzzerTestOneInput /src/libyaml_dumper_fuzzer.c:308:5
    #5 0x43b543 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/src/libyaml_dumper_fuzzer+0x43b543)
    #6 0x42570e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/src/libyaml_dumper_fuzzer+0x42570e)
    #7 0x42b692 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/src/libyaml_dumper_fuzzer+0x42b692)
    #8 0x454e32 in main (/src/libyaml_dumper_fuzzer+0x454e32)
    #9 0x7e2ffe7e2082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #10 0x41f8bd in _start (/src/libyaml_dumper_fuzzer+0x41f8bd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/src/libyaml_dumper_fuzzer+0x455b24) in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType)
==15==ABORTING
```

## POC

[libyaml_crash.txt](https://github.com/user-attachments/files/20200338/libyaml_crash.txt)

## Credit

Reported by Yifan Zhang, [PLL](https://pl.cs.pku.edu.cn/en/)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[BUG] A SEGV in `yaml_free` at `src/api.c:53:14` #312

Description

Steps to reproduce

Sanitizer output

POC

Credit

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[BUG] A SEGV in yaml_free at src/api.c:53:14 #312

Description

Description

Steps to reproduce

Sanitizer output

POC

Credit

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

[BUG] A SEGV in `yaml_free` at `src/api.c:53:14` #312