Out of bound access in mi_debug_show_bfield

[VeganPower]

In mi_debug_show_bfield k is used as cursor to write in the buffer buf.

https://github.com/microsoft/mimalloc/blob/dev3-heap/src/arena.c#L1539-1547

static size_t mi_debug_show_bfield(mi_bfield_t field, char* buf, size_t* k) {
  size_t bit_set_count = 0;
  for (int bit = 0; bit < MI_BFIELD_BITS; bit++) {
    bool is_set = ((((mi_bfield_t)1 << bit) & field) != 0);
    if (is_set) bit_set_count++;
    buf[*k++] = (is_set ? 'x' : '.');
  }
  return bit_set_count;
}

But because of the order of operations in this line buf[*k++] = (is_set ? 'x' : '.'); the pointer k is incremented first and then de-referenced.

size_t k = 0;
char buff[1024];
mi_debug_show_bfield(0x1234, buf, &k);

In this case the function will de-reference the area of memory AFTER k, that is not the expected behaviour.

A simple fix should be to work on a temporary variable:

static size_t mi_debug_show_bfield(mi_bfield_t field, char* buf, size_t* k) {
  size_t bit_set_count = 0;
  size_t temp_k = *k;
  for (int bit = 0; bit < MI_BFIELD_BITS; bit++) {
    bool is_set = ((((mi_bfield_t)1 << bit) & field) != 0);
    if (is_set) bit_set_count++;
    buf[temp_k++] = (is_set ? 'x' : '.');
  }
  *k = temp_k;
  return bit_set_count;
}

[daanx]

Thanks! The code is not used normally though but still glad we saw this.