Invalidate iterator->first on dtor to expose use-after-free

[gdh1995]

A Node variable's iterator creates temporary variables (iterator_base::proxy) to expose an array element or mapped key+value of the node. However this usage may cause dangling pointers on proxy.first and proxy.second.

Here is a demo:

YAML::Node node;
node["key"] = "value";
const YAML::Node& invalid_node = node.begin()->first;
std::string key_str = invalid_node.Scalar();

The invalid_node refers to a destroyed proxy-typed variable, and then:

1. if its memory region is not overwritten when calling invalid_node.Scalar(), then it may return std::string("key") as expected.
2. if data in its memory region gets modified (e.g., by XXmalloc library or with ASAN enabled), then it may cause a crash.

This PR will fix this undefined behavior, by always filling memory region of proxy variables with 0, and then such a wrong usage will always cause a crash.

Also fix #1071 .

[SGSSGene]

very cool! if I understand correctly, it doesn't really fix the bug, but makes it much more likely to be detected at run time, right?

[gdh1995]

Yes, this PR will make developers notice the wrong usage if only it's executed.

…

---Original--- From: "Simon Gene ***@***.***> Date: Fri, Feb 27, 2026 23:02 PM To: ***@***.***>; Cc: "Dahan ***@***.******@***.***>; Subject: Re: [jbeder/yaml-cpp] Invalidate iterator->first on dtor to exposeuse-after-free (PR #1409) SGSSGene left a comment (jbeder/yaml-cpp#1409) very cool! if I understand correctly, it doesn't really fix the bug, but makes it much more likely to be detected at run time, right? — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>