Jan Dubois 0374ad6b4b Fix stack overflow from circular alias in traverse (#2647) ... go-yaml accepts cross-document alias references, which the YAML spec forbids (anchors are scoped to a single document). When a nested assignment targets such an alias, UpdateFrom copies the Alias field between nodes, creating a self-referencing AliasNode. Both traverse() and traverseArrayIndices() then follow this cycle indefinitely. Extract resolveAliasChain(), which follows aliases iteratively with a visited set and returns an error on cycles. Both traverse() and traverseArrayIndices() now call it, eliminating the recursive alias handling in both code paths. Note: traverseMergeAnchor() also dereferences aliases (lines 358 and 371) but with single-step assignment, not recursion. A self-referencing alias there falls through the kind switch silently rather than crashing. Using resolveAliasChain() in that function would produce a clear error instead of silently dropping the node. Reproducer (stack overflow before this fix, returns error after): echo '&-- a --- *--' | yq eval-all '. = (.x = 1)' Found by OSS-Fuzz via the lima project's FuzzEvaluateExpression target. https://issues.oss-fuzz.com/issues/390467412 Signed-off-by: Jan Dubois <jan@jandubois.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>		2026-04-06 18:25:13 +10:00
..
yqlib	Fix stack overflow from circular alias in traverse (#2647)	2026-04-06 18:25:13 +10:00