From 4c967b2d6040a71c9e935e28200d5d5ca2675eff Mon Sep 17 00:00:00 2001
From: ~hatteb-mitlyd <anthony@tlon.io>
Date: Fri, 9 May 2014 12:39:14 -0700
Subject: [PATCH 1/2] avoid use-after-free in raft.c

---
 v/raft.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/v/raft.c b/v/raft.c
index b59b294e4..93f69c0f6 100644
--- a/v/raft.c
+++ b/v/raft.c
@@ -1684,12 +1684,10 @@ u2_raft_work(u2_reck* rec_u)
         if ( egg_u == rec_u->ova.geg_u ) {
           c3_assert(egg_u->nex_u == 0);
           rec_u->ova.geg_u = rec_u->ova.egg_u = 0;
-          free(egg_u);
         }
         else {
           c3_assert(egg_u->nex_u != 0);
           rec_u->ova.egg_u = egg_u->nex_u;
-          free(egg_u);
         }
 
         if ( u2_yes == egg_u->cit ) {
@@ -1701,6 +1699,7 @@ u2_raft_work(u2_reck* rec_u)
           uL(fprintf(uH, "vere: event executed but not persisted\n"));
           c3_assert(0);
         }
+        free(egg_u);
       }
       else break;
     }

From c5b2463de49dd29feb648454afc17ec7549e1b39 Mon Sep 17 00:00:00 2001
From: ~hatteb-mitlyd <anthony@tlon.io>
Date: Fri, 9 May 2014 12:45:41 -0700
Subject: [PATCH 2/2] Revert "Revert "fix rub to crash gracefully upon decoding
 invalid data""

This reverts commit 8c87faf180e00c582b01f7c4e82b77b17933596a.

The previous use-after-free fix appears to alleviate the crash "caused"
by this code.
---
 gen164/5/rub.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/gen164/5/rub.c b/gen164/5/rub.c
index d23e5d277..923780ea5 100644
--- a/gen164/5/rub.c
+++ b/gen164/5/rub.c
@@ -16,6 +16,8 @@
     u2_atom w, x, y, z;
     u2_atom p, q;
 
+    u2_atom m = j2_mbc(Pt1, add)(wir_r, a, u2_met(0, b));
+
     //  Compute c and d.
     {
       x = u2_rx(wir_r, a);
@@ -23,6 +25,12 @@
       while ( _0 == j2_mbc(Pt3, cut)(wir_r, _0, x, _1, b) ) {
         u2_atom y = j2_mbc(Pt1, inc)(wir_r, x);
 
+        //  Sanity check: crash if decoding more bits than available
+        if ( u2_yes == j2_mbc(Pt1, gth)(wir_r, x, m)) {
+          //  fprintf(stderr, "[%%rub-hard %d %d %d]\r\n", a, x, m);
+          return u2_bl_bail(wir_r, c3__exit);
+        }
+
         u2_rz(wir_r, x);
         x = y;
       }
@@ -77,6 +85,6 @@
 */
   u2_ho_jet
   j2_mbj(Pt5, rub)[] = {
-    { ".2", c3__hevy, j2_mb(Pt5, rub), Tier3, u2_none, u2_none },
+    { ".2", c3__hevy, j2_mb(Pt5, rub), Tier5, u2_none, u2_none },
     { }
   };