diff --git a/src/alloc-aligned.c b/src/alloc-aligned.c
index 5da9fc0c..e5976565 100644
--- a/src/alloc-aligned.c
+++ b/src/alloc-aligned.c
@@ -78,7 +78,7 @@ static mi_decl_noinline void* mi_heap_malloc_zero_aligned_at_overalloc(mi_heap_t
   }
   else {
     // otherwise over-allocate
-    oversize = size + alignment - 1;
+    oversize = (size < MI_MAX_ALIGN_SIZE ? MI_MAX_ALIGN_SIZE : size) + alignment - 1;  // adjust for size <= 16; with size 0 and aligment 64k, we would allocate a 64k block and pointing just beyond that.
     p = mi_heap_malloc_zero_no_guarded(heap, oversize, zero);
     if (p == NULL) return NULL;
   }
diff --git a/src/bitmap.c b/src/bitmap.c
index 3060ed96..a03aef69 100644
--- a/src/bitmap.c
+++ b/src/bitmap.c
@@ -289,6 +289,7 @@ static inline bool mi_bchunk_setNX(mi_bchunk_t* chunk, size_t cidx, size_t n, si
     const size_t m = MI_BFIELD_BITS - idx;  // bits to clear in the first field
     mi_assert_internal(m < n);
     mi_assert_internal(i < MI_BCHUNK_FIELDS - 1);
+    mi_assert_internal(idx + m <= MI_BFIELD_BITS);
     size_t already_set1;
     const bool all_set1 = mi_bfield_atomic_set_mask(&chunk->bfields[i], mi_bfield_mask(m, idx), &already_set1);
     mi_assert_internal(n - m > 0);
@@ -800,7 +801,7 @@ mi_decl_noinline static bool mi_bchunk_try_find_and_clearNX(mi_bchunk_t* chunk,
     if (i < MI_BCHUNK_FIELDS-1) {
       const size_t post = mi_bfield_clz(~b);
       if (post > 0) {
-        const size_t pre = mi_bfield_ctz(mi_atomic_load_relaxed(&chunk->bfields[i+1]));
+        const size_t pre = mi_bfield_ctz(~mi_atomic_load_relaxed(&chunk->bfields[i+1]));
         if (post + pre <= n) {
           // it fits -- try to claim it atomically
           const size_t cidx = (i*MI_BFIELD_BITS) + (MI_BFIELD_BITS - post);
diff --git a/src/bitmap.h b/src/bitmap.h
index 435461dd..9969aec0 100644
--- a/src/bitmap.h
+++ b/src/bitmap.h
@@ -175,7 +175,6 @@ static inline bool mi_bitmap_is_clear(mi_bitmap_t* bitmap, size_t idx) {
   return mi_bitmap_is_clearN(bitmap, idx, 1);
 }
 
-
 // Called once a bit is cleared to see if the memory slice can be claimed.
 typedef bool (mi_claim_fun_t)(size_t slice_index, mi_arena_t* arena, mi_heaptag_t heap_tag, bool* keep_set);