When the buffer size is exactly 1, we fail to grow it properly, since the integer truncation means that 1 * 3 / 2 = 1. This can cause a bad write on the line below. Bandaid this by first padding the buffer by 16, and then growing it. This still allows old blocks to fit into new ones, but fixes the case where the block size equals 1. Co-authored-by: Jeff King <peff@xxxxxxxx> Signed-off-by: Jeff King <peff@xxxxxxxx> Signed-off-by: Taylor Blau <me@xxxxxxxxxxxx> --- ewah/ewah_bitmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ewah/ewah_bitmap.c b/ewah/ewah_bitmap.c index d59b1afe3d..3fae04ad00 100644 --- a/ewah/ewah_bitmap.c +++ b/ewah/ewah_bitmap.c @@ -45,7 +45,7 @@ static inline void buffer_grow(struct ewah_bitmap *self, size_t new_size) static inline void buffer_push(struct ewah_bitmap *self, eword_t value) { if (self->buffer_size + 1 >= self->alloc_size) - buffer_grow(self, self->buffer_size * 3 / 2); + buffer_grow(self, (self->buffer_size + 16) * 3 / 2); self->buffer[self->buffer_size++] = value; } -- 2.29.2.312.gabc4d358d8