commit e3901a774afb6b97e583fd0c7ec77e80c1be6d23 (tree)
parent 030b27851683b0c49a3ee3c2ac08750c3982f720
Author: Motiejus Jakštys <motiejus@jakstys.lt>
Date: Thu, 19 Feb 2026 22:18:33 +0000
verbose_air: fix index-out-of-bounds when shrinking func collector array
Use allocatedSlice() instead of .items to get the full [0..capacity]
slice for realloc. .items only covers [0..len] which causes an
out-of-bounds access when capacity > len.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Diffstat:
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/verbose_air.zig b/src/verbose_air.zig
@@ -255,16 +255,16 @@ fn zigCompileAirImpl(
return .{ .items = null, .len = 0, .error_msg = e };
}
- const items = collector.funcs.items;
+ const allocated = collector.funcs.allocatedSlice();
const len: u32 = @intCast(collector.funcs.items.len);
// Transfer ownership: caller frees via zig_compile_air_free.
// The ArrayListUnmanaged allocatedSlice includes capacity, but we only
// expose items[0..len]. Free the excess capacity now.
if (collector.funcs.capacity > len) {
// Shrink to exact size so free works with items[0..len].
- const exact = gpa.realloc(items[0..collector.funcs.capacity], len) catch
- items[0..collector.funcs.capacity]; // keep original on realloc failure
+ const exact = gpa.realloc(allocated, len) catch
+ allocated; // keep original on realloc failure
return .{ .items = exact.ptr, .len = len, .error_msg = null };
}
- return .{ .items = items.ptr, .len = len, .error_msg = null };
+ return .{ .items = allocated.ptr, .len = len, .error_msg = null };
}
