From 4a26a4568e0f593b7842d91fbf4ec5f80d06bc65 Mon Sep 17 00:00:00 2001
From: Daan <daanl@outlook.com>
Date: Thu, 16 May 2024 14:26:05 -0700
Subject: [PATCH] fix out-of-bounds write on span free in huge segments

---
 src/segment.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/segment.c b/src/segment.c
index 9e1b39a2..6044c270 100644
--- a/src/segment.c
+++ b/src/segment.c
@@ -623,7 +623,9 @@ static void mi_segment_span_free(mi_segment_t* segment, size_t slice_index, size
   mi_assert_internal(slice->slice_count == slice_count); // no overflow?
   slice->slice_offset = 0;
   if (slice_count > 1) {
-    mi_slice_t* last = &segment->slices[slice_index + slice_count - 1];
+    mi_slice_t* last = slice + slice_count - 1;
+    mi_slice_t* end  = (mi_slice_t*)mi_segment_slices_end(segment);
+    if (last > end) { last = end; }
     last->slice_count = 0;
     last->slice_offset = (uint32_t)(sizeof(mi_page_t)*(slice_count - 1));
     last->block_size = 0;