fix out-of-bounds write on span free in huge segments

This commit is contained in:
Daan 2024-05-16 14:26:05 -07:00
parent 44b65b19df
commit 4a26a4568e

View File

@ -623,7 +623,9 @@ static void mi_segment_span_free(mi_segment_t* segment, size_t slice_index, size
mi_assert_internal(slice->slice_count == slice_count); // no overflow?
slice->slice_offset = 0;
if (slice_count > 1) {
mi_slice_t* last = &segment->slices[slice_index + slice_count - 1];
mi_slice_t* last = slice + slice_count - 1;
mi_slice_t* end = (mi_slice_t*)mi_segment_slices_end(segment);
if (last > end) { last = end; }
last->slice_count = 0;
last->slice_offset = (uint32_t)(sizeof(mi_page_t)*(slice_count - 1));
last->block_size = 0;