From e9d10ce5445061be4967baa5800a2dc40e5c4970 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ion=20Gazta=C3=B1aga?= <igaztanaga@gmail.com>
Date: Tue, 26 Jun 2018 21:50:05 +0200
Subject: [PATCH] Fixes GitHub #75 ("flat_set: Heap overflow")

---
 doc/container.qbk                  |  1 +
 include/boost/container/vector.hpp | 12 ++++++------
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/doc/container.qbk b/doc/container.qbk
index 5030cae..27e405b 100644
--- a/doc/container.qbk
+++ b/doc/container.qbk
@@ -1253,6 +1253,7 @@ use [*Boost.Container]? There are several reasons for that:
    * [@https://svn.boost.org/trac/boost/ticket/13533 Trac #13533:  ['"Boost vector resize causes assert(false)"]].
    * [@https://github.com/boostorg/container/issues/73 GitHub #73: ['"triviality of pair"]].
    * [@https://github.com/boostorg/container/issues/74 GitHub #74: ['"vector assignment not using memcpy"]].
+   * [@https://github.com/boostorg/container/issues/75 GitHub #75: ['"flat_set: Heap overflow"]].
    * Fixed race condition bug in [classref boost::container::pmr::unsynchronized_pool_resource unsynchronized_pool_resource]
      found by Arthur O'Dowyer in his blog post
      [@https://quuxplusone.github.io/blog/2018/06/05/libcpp-memory-resource/ <memory_resource> for libc++]
diff --git a/include/boost/container/vector.hpp b/include/boost/container/vector.hpp
index a1f4b03..7481061 100644
--- a/include/boost/container/vector.hpp
+++ b/include/boost/container/vector.hpp
@@ -2197,11 +2197,11 @@ class vector
    template<class InputIt, class Compare>
    BOOST_CONTAINER_FORCEINLINE void merge_unique(InputIt first, InputIt last, Compare comp)
    {
-      size_type const s = this->size();
+      size_type const old_size = this->size();
       this->priv_set_difference_back(first, last, comp);
       T *const raw_beg = this->priv_raw_begin();
       T *const raw_end = this->priv_raw_end();
-      T *raw_pos = raw_beg + s;
+      T *raw_pos = raw_beg + old_size;
       boost::movelib::adaptive_merge(raw_beg, raw_pos, raw_end, comp, raw_end, this->capacity() - this->size());
    }
 
@@ -2278,14 +2278,14 @@ class vector
 
          if (comp(*first1, *first2)) {
             this->emplace_back(*first1);
-            //Reallocation happened, update range
             T * const raw_begin = this->priv_raw_begin();
-            if(old_first2 != raw_begin){
+            if(old_first2 != raw_begin)
+            {
+               //Reallocation happened, update range
                first2 = raw_begin + (first2 - old_first2);
-               last2  = first2 + (last2 - old_first2);
+               last2  = raw_begin + (last2 - old_first2);
                old_first2 = raw_begin;
             }
-
             ++first1;
          }
          else {