From c0a1c5cfc047936d10ed321542baa4b46fd4cff1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ion=20Gazta=C3=B1aga?= <igaztanaga@gmail.com>
Date: Sat, 29 Sep 2018 09:57:36 +0200
Subject: [PATCH] Fix invalid multiallocation_chain iterator increment after
 memory was overwritten.

---
 include/boost/container/detail/node_alloc_holder.hpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/include/boost/container/detail/node_alloc_holder.hpp b/include/boost/container/detail/node_alloc_holder.hpp
index 04ca447..a103e63 100644
--- a/include/boost/container/detail/node_alloc_holder.hpp
+++ b/include/boost/container/detail/node_alloc_holder.hpp
@@ -349,10 +349,11 @@ struct node_alloc_holder
             dtl::scoped_destructor<NodeAlloc> sdestructor(nalloc, 0);
             while(n){
                --n;
+               p = boost::movelib::iterator_to_raw_pointer(itbeg);
+               ++itbeg; //Increment iterator before overwriting pointed memory
                //This does not throw
-               p = ::new(boost::movelib::iterator_to_raw_pointer(itbeg), boost_container_new_t()) Node;
+               p = ::new(p, boost_container_new_t()) Node;
                node_deallocator.set(p);
-               ++itbeg;
                //This can throw
                boost::container::construct_in_place(nalloc, p->get_real_data_ptr(), beg);
                sdestructor.set(p);