Fix tree-sitter-markdown scanner serialize buffer overflow#60312
Open
rtfeldman wants to merge 1 commit into
Open
Fix tree-sitter-markdown scanner serialize buffer overflow#60312rtfeldman wants to merge 1 commit into
rtfeldman wants to merge 1 commit into
Conversation
Point tree-sitter-md at a zed-industries fork of the pinned revision that guards serialize() against overflowing tree-sitter's fixed serialization buffer when many markdown blocks are open (deep nesting). The overflow previously clobbered the parser's adjacent Stack pointer and heap. Upstream report: tree-sitter-grammars/tree-sitter-markdown#243
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Zed bundles the markdown grammar's block scanner natively, and its
serialize()memcpys the open-block stack into tree-sitter's fixed 1024-byte serialization buffer with no bounds check. Deeply nested markdown (roughly 255+ open blocks) overflows that buffer, and because it sits at the front ofstruct TSParserthe overflow clobbers the adjacentStack*pointer and heap, corrupting the parser and producing crashes deep in tree-sitter's parse stack. This pointstree-sitter-mdat azed-industriesfork of the currently pinned revision that makesserialize()drop its state (so the scanner deserializes fresh) rather than write out of bounds. The bug is still open upstream as tree-sitter-grammars/tree-sitter-markdown#243.Closes FR-115
Release Notes: