Turns out the push_heap function was placing the heap pointer into a local variable before calling self.reserve(). reserve in turn calls realloc() - which can free the old heap allocation & create a new one. When this happens, the old ptr is becomes invalid.
The code was writing to this invalid pointer (ptr.as_ptr().add(len).write(value)) - which is a use-after-free bug.
I took a look at what was causing #353.
Turns out the
push_heapfunction was placing the heap pointer into a local variable before callingself.reserve(). reserve in turn callsrealloc()- which can free the old heap allocation & create a new one. When this happens, the oldptris becomes invalid.The code was writing to this invalid pointer (
ptr.as_ptr().add(len).write(value)) - which is a use-after-free bug.This PR fixes the bug and adds a regression test.