Skip to content

Fix tree-sitter-markdown scanner serialize buffer overflow#60312

Open
rtfeldman wants to merge 1 commit into
mainfrom
richard/fr-115-tree-sitter-markdown-scanner-serialize-buffer-overflow
Open

Fix tree-sitter-markdown scanner serialize buffer overflow#60312
rtfeldman wants to merge 1 commit into
mainfrom
richard/fr-115-tree-sitter-markdown-scanner-serialize-buffer-overflow

Conversation

@rtfeldman

Copy link
Copy Markdown
Contributor

Zed bundles the markdown grammar's block scanner natively, and its serialize() memcpys the open-block stack into tree-sitter's fixed 1024-byte serialization buffer with no bounds check. Deeply nested markdown (roughly 255+ open blocks) overflows that buffer, and because it sits at the front of struct TSParser the overflow clobbers the adjacent Stack* pointer and heap, corrupting the parser and producing crashes deep in tree-sitter's parse stack. This points tree-sitter-md at a zed-industries fork of the currently pinned revision that makes serialize() drop its state (so the scanner deserializes fresh) rather than write out of bounds. The bug is still open upstream as tree-sitter-grammars/tree-sitter-markdown#243.

Closes FR-115

Release Notes:

  • Fixed a potential crash when editing Markdown with deeply nested blocks

Point tree-sitter-md at a zed-industries fork of the pinned revision that
guards serialize() against overflowing tree-sitter's fixed serialization
buffer when many markdown blocks are open (deep nesting). The overflow
previously clobbered the parser's adjacent Stack pointer and heap.

Upstream report: tree-sitter-grammars/tree-sitter-markdown#243
@cla-bot cla-bot Bot added the cla-signed The user has signed the Contributor License Agreement label Jul 2, 2026
@zed-community-bot zed-community-bot Bot added the staff Pull requests authored by a current member of Zed staff label Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cla-signed The user has signed the Contributor License Agreement staff Pull requests authored by a current member of Zed staff

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant