alt Hacker News> No bounds check. free_count is incremented before the write, and the write uses the pre-increment value as the index. When free_count == num_niovs at entry, the write goes to freelist[num_niovs], one slot past the end.
"No way to prevent this", Says Only Language Where This Regularly Happens
Obviously the way to prevent this is by bounds checking, which is literally in the `770594e` patch. It's just a bug and they happen routinely in all languages. Since this is doing pointer arithmetic, it could just as easily happen in unsafe Rust, for example.