Serde_yml bug which causes a panic

Hi all, I have encountered a bug with serde_yml crate, but it appears their repo has issues turned off, only pull requests. I have created a project which demonstrates the panic if anyone wants to take a look. I'll take recommendations, but for now putting it here for visibility. The gist of it is, this panics:

You can find full project at: a repo I created

pub async fn demo_panic() -> Result<(), Box<dyn std::error::Error>> {
    use serde_yml::Value;

    let t = Test {
        // NOTE: the amount of spaces at the end matters
        content: "\n    a {\n        ".into(),
    };

    // create the file with the failing string
    // ensure to deserialize using serde_yml

    fs::write("./generated-test.yaml", serde_yml::to_string(&t)?).await?;
    let bad_file = fs::read("./generated-test.yaml").await?;
    println!("attempt to deserialize Test");

    // PANICS //
    let _: Result<Test, _> = serde_yml::from_slice(&bad_file);
    println!("attempt to deserialize serde_yml::Value");

    // PANICS //
    let _: Result<Value, _> = serde_yml::from_slice(&bad_file);
    Ok(())
}



Using the archived serde_yaml crate instead works. Playground. Running the same snippet with serde_yml on my local machine gives the following panic:

thread 'main' panicked at /home/masterusr/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libyml-0.0.5/src/scanner.rs:2798:17:
String join would overflow memory bounds

If I replace the escaped \ns in the yaml file with real line breaks, the code compiles fine. This looks like a bug in the serde_yml crate to me and I believe you should open an issue with them... or not, given that they disabled their issues on GitHub. Edit: re-reading your post I see that you already looked at that option.

Thanks for taking a look! I figured out that the repo supports bug reports. Filed it here Panic on valid input · Issue #9845 · rust-lang/crates.io · GitHub

Thought id close the loop

The repository you filed that bug report in is for the crates.io website itself, not for projects listed on crates.io. The developers there have no involvement with serde-yml.

2 Likes

The repo of the crate itself does not support bug reports. This should be a red flag for using it.

2 Likes

serde_yml is a borderline malicious pile of AI-generated garbage, btw.