Genie - Use after free when adding plugin to patch

[RareBreeds]

Address sanitizer detects a use after free when adding Genie to a patch.

Rack: 5551617afff182925940908eaf73a7d7361303cc
RPJ: 5b4b7d0
Build Command: make -j10 EXTRA_FLAGS=-fsanitize=address EXTRA_LDFLAGS=-fsanitize=address

[9.254 info src/app/Browser.cpp:89 chooseModel] Creating module RPJ Genie
[9.254 info src/app/Browser.cpp:93 chooseModel] Creating module widget RPJ Genie
=================================================================
==82150==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000037940 at pc 0x00000c13e851 bp 0x00020636e990 sp 0x00020636e988
WRITE of size 4 at 0x619000037940 thread T15
    #0 0xc13e850 in Genie::doPendulum(rack::engine::Module::ProcessArgs const&) Genie.cpp:97
    #1 0x2113868 in rack::engine::Module::doProcess(rack::engine::Module::ProcessArgs const&) Module.cpp
    #2 0x20fd4b7 in rack::engine::Engine::stepBlock(int) Engine.cpp:551
    #3 0x210a6da in rack::engine::Engine_fallbackRun(rack::engine::Engine*) Engine.cpp:1324
    #4 0x210d81a in void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(rack::engine::Engine*), rack::engine::Engine*> >(void*) thread:298
    #5 0x7ff80354d4e0 in _pthread_start+0x7c (libsystem_pthread.dylib:x86_64+0x64e0)
    #6 0x7ff803548f6a in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x1f6a)

0x619000037940 is located 0 bytes to the right of 960-byte region [0x619000037580,0x619000037940)
allocated by thread T0 here:
    #0 0xfc326d in wrap__Znwm+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5426d)
    #1 0x2115b1e in std::__1::vector<rack::engine::Output, std::__1::allocator<rack::engine::Output> >::__append(unsigned long) vector:1115
    #2 0x210f7f9 in rack::engine::Module::config(int, int, int, int) Module.cpp:64
    #3 0xc13ac9d in Genie::Genie() Genie.cpp:29
    #4 0xc146ae4 in rack::plugin::Model* rack::createModel<Genie, GenieModuleWidget>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >)::TModel::createModule() helpers.hpp:27
    #5 0x1f9c8ed in rack::app::browser::chooseModel(rack::plugin::Model*) Browser.cpp:90
    #6 0x1f9885b in rack::app::browser::ModelBox::onButton(rack::widget::Widget::ButtonEvent const&) Browser.cpp:259
    #7 0x1f9ad10 in rack::widget::Widget::onButton(rack::widget::Widget::ButtonEvent const&) Widget.hpp:234
    #8 0x1f9ad10 in rack::widget::Widget::onButton(rack::widget::Widget::ButtonEvent const&) Widget.hpp:234
    #9 0x1f9ad10 in rack::widget::Widget::onButton(rack::widget::Widget::ButtonEvent const&) Widget.hpp:234
    #10 0x21375b8 in rack::ui::ScrollWidget::onButton(rack::widget::Widget::ButtonEvent const&) ScrollWidget.cpp:130
    #11 0x1f97668 in rack::app::browser::Browser::onButton(rack::widget::Widget::ButtonEvent const&) Browser.cpp:781
    #12 0x2131e94 in rack::ui::MenuOverlay::onButton(rack::widget::Widget::ButtonEvent const&) MenuOverlay.cpp:34
    #13 0x1f66a48 in rack::widget::OpaqueWidget::onButton(rack::widget::Widget::ButtonEvent const&) OpaqueWidget.hpp:21
    #14 0x215cc9a in rack::widget::EventState::handleButton(rack::math::Vec, int, int, int) event.cpp:134
    #15 0x7ff80617ecd0 in -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:]+0x12fa (AppKit:x86_64+0x23ccd0)
    #16 0x7ff8060f2e8d in -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:]+0xa15 (AppKit:x86_64+0x1b0e8d)
    #17 0x7ff8060f225d in -[NSWindow(NSEventRouting) sendEvent:]+0x15f (AppKit:x86_64+0x1b025d)
    #18 0x7ff8060f0633 in -[NSApplication(NSEvent) sendEvent:]+0x15f (AppKit:x86_64+0x1ae633)
    #19 0x223ec30 in _glfwPollEventsCocoa cocoa_window.m:1419
    #20 0x2169024 in rack::window::Window::step() Window.cpp:431
    #21 0x2168dc3 in rack::window::Window::run() Window.cpp:409
    #22 0xb329e1 in main standalone.cpp:240
    #23 0x100f3652d in start+0x1cd (dyld:x86_64+0x552d)
    #24 0x100f30fff  (<unknown module>)

Thread T15 created by T0 here:
    #0 0xfb08cc in wrap_pthread_create+0x5c (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x418cc)
    #1 0x210d6d7 in std::__1::thread::thread<void (&)(rack::engine::Engine*), rack::engine::Engine*, void>(void (&)(rack::engine::Engine*), rack::engine::Engine*&&) thread:314
    #2 0x210a1ea in rack::engine::Engine::startFallbackThread() Engine.cpp:1348
    #3 0xb32930 in main standalone.cpp:227
    #4 0x100f3652d in start+0x1cd (dyld:x86_64+0x552d)
    #5 0x100f30fff  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow Genie.cpp:97 in Genie::doPendulum(rack::engine::Module::ProcessArgs const&)
Shadow bytes around the buggy address:
  0x1c3200006ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3200006ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3200006ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3200006f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3200006f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c3200006f20: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x1c3200006f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3200006f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3200006f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3200006f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3200006f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==82150==ABORTING
zsh: abort      ./Rack -d