[Bug]: Malformed Numeric Scalars Crash SafeLoader with ValueError #898
Description
Summary
Numeric constructors accept malformed scalars (0x_, !!float +_, !!float 1::3) and pass them straight into int/float, bubbling uncaught ValueError.
poc:
import yaml
yaml.safe_load("0x_")
yaml.safe_load("!!float +_")
yaml.safe_load("!!float 1::3")Traceback:
$ uv run python
Python 3.10.18 (main, Sep 2 2025, 14:19:37) [Clang 20.1.4 ] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import yaml
>>> yaml.safe_load("0x_")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/User/.venv/lib/python3.10/site-packages/yaml/__init__.py", line 125, in safe_load
return load(stream, SafeLoader)
File "/home/User/.venv/lib/python3.10/site-packages/yaml/__init__.py", line 81, in load
return loader.get_single_data()
File "/home/User/.venv/lib/python3.10/site-packages/yaml/constructor.py", line 51, in get_single_data
return self.construct_document(node)
File "/home/User/.venv/lib/python3.10/site-packages/yaml/constructor.py", line 55, in construct_document
data = self.construct_object(node)
File "/home/User/.venv/lib/python3.10/site-packages/yaml/constructor.py", line 100, in construct_object
data = constructor(self, node)
File "/home/User/.venv/lib/python3.10/site-packages/yaml/constructor.py", line 250, in construct_yaml_int
return sign*int(value[2:], 16)
ValueError: invalid literal for int() with base 16: ''
Suggested Fix
- Validate prefixes and segments before conversion.
- Wrap numeric parsing in
try/exceptand raiseConstructorError.