From 5e165d8c05a0c42403cf6e4e86ad5d164b41ee54 Mon Sep 17 00:00:00 2001
From: Gavin Howard <gavin@yzena.com>
Date: Sun, 25 Jul 2021 19:39:23 -0600
Subject: Fix another crash found by AFL++

This one was caused directly by my stupidity. Sigh...

Signed-off-by: Gavin Howard <gavin@yzena.com>
---
 src/vector.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/vector.c b/src/vector.c
index de54f913..98c1b01d 100644
--- a/src/vector.c
+++ b/src/vector.c
@@ -502,16 +502,16 @@ char* bc_slabvec_strdup(BcVec *v, const char *str) {
 	len = strlen(str) + 1;
 
 	// If the len is greater than 128, then just allocate it with malloc.
-	if (BC_UNLIKELY(len > BC_SLAB_SIZE)) {
-
-		size_t idx = v->len - 1;
+	if (BC_UNLIKELY(len >= BC_SLAB_SIZE)) {
 
 		// SIZE_MAX is a marker for these standalone allocations.
 		slab.len = SIZE_MAX;
 		slab.s = bc_vm_strdup(str);
 
+		// Push the standalone slab.
 		bc_vec_push(v, &slab);
 
+		// Create a new real slab.
 		slab_ptr = bc_vec_pushEmpty(v);
 		bc_slab_init(slab_ptr);
 
@@ -561,13 +561,16 @@ void bc_slabvec_undo(BcVec *v, size_t len) {
 		// If it is a lone allocation, destroy it instead of the last (empty)
 		// slab.
 		if (s->len == SIZE_MAX) {
-			bc_vec_npopAt(v, 1, 0);
+			bc_vec_npopAt(v, 1, v->len - 2);
 			return;
 		}
 
 		// If we reach this point, we know the second-to-last slab is a valid
 		// slab, so we can discard the last slab.
 		bc_vec_pop(v);
+
+		// Get the new top of the stack.
+		s = bc_vec_top(v);
 	}
 
 	// Remove the string. The reason we can do this even with the if statement
-- 
cgit v1.2.3