Read post-end of data in Rapicorn #25
Description
I found that beast sometimes crashes when I load a certain project. I debugged the issue, and it seems that rapicorn is to blame, basically sizeof (free_list_.data()) is the size of the pointer, and on 64 bit machines is different from the element size (sizeof (free_list_.front()), which seems to be causing crashes sometimes here, no longer reproducable after changing this.
diff --git a/rcore/aida.cc b/rcore/aida.cc
index 274b56b..ac13bac 100644
--- a/rcore/aida.cc
+++ b/rcore/aida.cc
@@ -1654,7 +1654,7 @@ ObjectMap<Instance>::next_index ()
const size_t FREE_LENGTH = 31;
if (free_list_.size() > FREE_LENGTH)
{
- const size_t prandom = byte_hash64 ((uint8*) free_list_.data(), sizeof (free_list_.data()) * free_list_.size());
+ const size_t prandom = byte_hash64 ((uint8*) free_list_.data(), sizeof (free_list_.front()) * free_list_.size());
const size_t end = free_list_.size(), j = prandom % (end - 1);
assert (j < end - 1); // use end-1 to avoid popping the last pushed slot
idx = free_list_[j];