Code at the speed of thought – Zed is a high-performance, multiplayer code editor from the creators of Atom and Tree-sitter.
Go to file
Marshall Bowers 081e9b9a60
Fix panic when loading malformed Wasm files (#10370)
This PR fixes a potential panic that could occur when loading malformed
Wasm files.

We now use the `parse_wasm_extension_version` function that was
previously used just to extract the Zed extension API version from the
Wasm bytes as a pre-validation step. By parsing the entirety of the Wasm
file here instead of returning as soon as we find the version, the
invalid Wasm bytes are now surfaced as an `Err` instead of a panic.

We were able to replicate the panic using the following test:

```rs
#[gpui::test]
async fn test_bad_wasm(cx: &mut TestAppContext) {
    init_test(cx);

    let wasm_host = cx.update(|cx| {
        WasmHost::new(
            FakeFs::new(cx.background_executor().clone()),
            FakeHttpClient::with_200_response(),
            FakeNodeRuntime::new(),
            Arc::new(LanguageRegistry::test(cx.background_executor().clone())),
            PathBuf::from("/the/work/dir".to_string()),
            cx,
        )
    });

    let mut wasm_bytes = std::fs::read("/Users/maxdeviant/Library/Application Support/Zed/extensions/installed/dart/extension.wasm").unwrap();

    // This is the error message we were seeing in the stack trace:
    // range end index 267037 out of range for slice of length 253952

    dbg!(&wasm_bytes.len());

    // Truncate the bytes to the same point:
    wasm_bytes.truncate(253952);

    std::fs::write("/tmp/bad-extension.wasm", wasm_bytes.clone()).unwrap();

    let manifest = Arc::new(ExtensionManifest {
        id: "the-extension".into(),
        name: "The Extension".into(),
        version: "0.0.1".into(),
        schema_version: SchemaVersion(1),
        description: Default::default(),
        repository: Default::default(),
        authors: Default::default(),
        lib: LibManifestEntry {
            kind: None,
            version: None,
        },
        themes: Default::default(),
        languages: Default::default(),
        grammars: Default::default(),
        language_servers: Default::default(),
    });

    // 💥
    let result = wasm_host
        .load_extension(wasm_bytes, manifest, cx.executor())
        .await;
    dbg!(result.map(|_| ()));
```



Release Notes:

- Fixed a crash that could occur when loading malformed Wasm extensions
([#10352](https://github.com/zed-industries/zed/issues/10352)).

---------

Co-authored-by: Max <max@zed.dev>
2024-04-10 14:13:43 -04:00
.cargo Enable tokio-console (#8897) 2024-03-05 10:56:14 -07:00
.config tests: Test 'db' package sequentially (#2654) 2023-06-28 15:00:43 +02:00
.github Revert "Update GITHUB_TOKEN environment variable for Danger (#10365)" 2024-04-10 13:29:54 -04:00
.zed Format prettier_server.js (#9583) 2024-03-20 19:49:14 +01:00
assets Line numbers short mode (#10354) 2024-04-10 12:08:07 +02:00
crates Fix panic when loading malformed Wasm files (#10370) 2024-04-10 14:13:43 -04:00
docs chore: Remove tasks.md (#10273) 2024-04-08 16:21:24 +02:00
extensions Use v0.0.6 of the zed_extension_api for extensions that need it (#10324) 2024-04-09 10:57:26 -04:00
script Bump PyGithub 2024-04-07 01:13:34 -04:00
tooling/xtask Windows: Enable clippy deny warnings (#9920) 2024-03-28 11:55:35 -04:00
.dockerignore Add serialized versions of themes (#6885) 2024-01-27 13:35:43 -05:00
.gitattributes Prevent GitHub from displaying comments within JSON files as errors (#7043) 2024-01-29 23:11:25 -05:00
.gitignore windows: Add file dialog using IFileOpenDialog (#8919) 2024-03-08 20:07:48 -08:00
.gitmodules WIP: start on live_kit_server 2022-10-17 09:59:16 +02:00
.mailmap Update .mailmap (#7871) 2024-02-15 18:35:43 -05:00
Cargo.lock Introduce TextField by adding the ui_text_field crate (#10361) 2024-04-10 11:53:25 -04:00
Cargo.toml Introduce TextField by adding the ui_text_field crate (#10361) 2024-04-10 11:53:25 -04:00
CODE_OF_CONDUCT.md Add CODE_OF_CONDUCT.md (#4239) 2024-01-23 22:31:39 -05:00
CONTRIBUTING.md Style crate names in CONTRIBUTING.md (#6939) 2024-01-28 11:07:37 -05:00
debug.plist WIP 2023-12-14 09:25:14 -07:00
docker-compose.sql Add config files for running Postgres inside Docker Compose (#3637) 2023-12-13 17:25:07 -05:00
docker-compose.yml Add LiveKit server to Docker Compose (#7907) 2024-02-16 10:49:48 -05:00
Dockerfile Revert "Revert "chore: Bump Rust version to 1.77 (#9631)"" (#9672) 2024-03-22 11:17:16 +01:00
LICENSE-AGPL chore: Add crate licenses. (#4158) 2024-01-23 16:56:22 +01:00
LICENSE-APACHE chore: Add crate licenses. (#4158) 2024-01-23 16:56:22 +01:00
LICENSE-GPL Licenses: change license fields in Cargo.toml to AGPL-3.0-or-later. (#5535) 2024-01-27 13:51:16 +01:00
livekit.yaml Add LiveKit server to Docker Compose (#7907) 2024-02-16 10:49:48 -05:00
Procfile Make collab quieter on startup (#8685) 2024-03-01 13:39:13 -07:00
README.md Update Homebrew installation instructions (#9356) 2024-03-14 14:00:31 -04:00
rust-toolchain.toml Revert "Revert "chore: Bump Rust version to 1.77 (#9631)"" (#9672) 2024-03-22 11:17:16 +01:00
typos.toml Remove basic.conf (#10120) 2024-04-03 09:38:36 -04:00

Zed

CI

Welcome to Zed, a high-performance, multiplayer code editor from the creators of Atom and Tree-sitter.

Installation

You can download Zed today for macOS (v10.15+).

Support for additional platforms is on our roadmap:

For macOS users, you can also install Zed using Homebrew:

brew install zed

Alternatively, to install the Preview release:

brew tap homebrew/cask-versions
brew install zed-preview

Developing Zed

Contributing

See CONTRIBUTING.md for ways you can contribute to Zed.

Licensing

License information for third party dependencies must be correctly provided for CI to pass.

We use cargo-about to automatically comply with open source licenses. If CI is failing, check the following:

  • Is it showing a no license specified error for a crate you've created? If so, add publish = false under [package] in your crate's Cargo.toml.
  • Is the error failed to satisfy license requirements for a dependency? If so, first determine what license the project has and whether this system is sufficient to comply with this license's requirements. If you're unsure, ask a lawyer. Once you've verified that this system is acceptable add the license's SPDX identifier to the accepted array in script/licenses/zed-licenses.toml.
  • Is cargo-about unable to find the license for a dependency? If so, add a clarification field at the end of script/licenses/zed-licenses.toml, as specified in the cargo-about book.