fix(lsp): guard trailing append in TS type-text union/intersection parser

DeusData · DeusData · commit 6226972f13f8 · 2026-05-20T00:50:57.000+02:00
parse_ts_type_text in ts_lsp.c builds a 16-slot CBMType* members[] for
union (|) and intersection (&amp;) types. The in-loop branch correctly
caps additions at mc&lt;15, but the trailing post-loop append that
collects the final member after the last separator was unconditional,
and the subsequent members[mc] = NULL sentinel could then write to
members[16] — one past the array end.

Caught by UBSan on the zod codebase (a TS union with &gt;=16 members
exists). Non-deterministic crash signature under pthread-parallel
extraction (12 workers): exit 134 / SIGABRT with no stack, because
libc's allocator detected the heap corruption and called abort().
Single-fixture-file test suite never exercised the parallel path or
a wide-enough union, so existing ASan/UBSan coverage missed it.

Fix: mirror the in-loop guard on the trailing append (cap at mc&lt;15).
Add regression test tslsp_union_many_members_no_overflow that
constructs a 20-member string-literal union — extracting must not
crash. UBSan: clean. Full suite: 3616 passed, 0 failed.
diff --git a/internal/cbm/lsp/ts_lsp.c b/internal/cbm/lsp/ts_lsp.c
@@ -315,8 +315,14 @@ static const CBMType* parse_ts_type_text(CBMArena* arena, const char* text, cons
             }
         }
         if (mc > 0 && (is_union || is_inter)) {
-            char* part = cbm_arena_strndup(arena, text + start, len - start);
-            members[mc++] = parse_ts_type_text(arena, part, module_qn);
+            // Cap mirrors the in-loop guard: members[16] holds at most 15
+            // real entries + the trailing NULL sentinel. Without this guard,
+            // a union/intersection with >=16 members overflows the array
+            // (UBSan: index 16 out of bounds for 'const CBMType *[16]').
+            if (mc < 15) {
+                char* part = cbm_arena_strndup(arena, text + start, len - start);
+                members[mc++] = parse_ts_type_text(arena, part, module_qn);
+            }
             members[mc] = NULL;
             return is_union ? cbm_type_union(arena, members, mc)
                             : cbm_type_intersection(arena, members, mc);
diff --git a/tests/test_ts_lsp.c b/tests/test_ts_lsp.c
@@ -800,6 +800,22 @@ TEST(tslsp_union_common_method) {
     PASS();
 }
 
+TEST(tslsp_union_many_members_no_overflow) {
+    // Regression: a union with >=16 members used to overflow the
+    // 16-slot members[] array in parse_ts_type_text() — the trailing
+    // post-loop append wrote past the end (UBSan: index 16 out of
+    // bounds). The crash was non-deterministic under pthread parallel
+    // extraction, surfaced by indexing the zod TS codebase. Just
+    // extracting must not crash; resolution behavior is unconstrained.
+    CBMFileResult *r = extract_ts(
+        "function go(x: 'a' | 'b' | 'c' | 'd' | 'e' | 'f' | 'g' | 'h' "
+        "| 'i' | 'j' | 'k' | 'l' | 'm' | 'n' | 'o' | 'p' | 'q' | 'r' "
+        "| 's' | 't') { return x; }\n");
+    ASSERT_NOT_NULL(r);
+    cbm_free_result(r);
+    PASS();
+}
+
 /* ── Category 9: more class patterns ───────────────────────────────────────── */
 
 TEST(tslsp_class_static_method) {
@@ -4017,6 +4033,7 @@ SUITE(ts_lsp) {
 
     /* Category 16: union deeper */
     RUN_TEST(tslsp_union_common_method);
+    RUN_TEST(tslsp_union_many_members_no_overflow);
 
     /* Category 9: more class patterns */
     RUN_TEST(tslsp_class_static_method);
