From 4d5bfca81a54c1954dc82820d79227d6c146a0bb Mon Sep 17 00:00:00 2001
From: Stefan Boberg <stefan.boberg@epicgames.com>
Date: Thu, 30 Oct 2025 13:27:44 +0100
Subject: fix use-after-free in TEST_CASE("compactcas.threadedinsert") (#620)

---
 src/zenstore/compactcas.cpp | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'src/zenstore/compactcas.cpp')

diff --git a/src/zenstore/compactcas.cpp b/src/zenstore/compactcas.cpp
index 26af5b4b1..e1f17fbb9 100644
--- a/src/zenstore/compactcas.cpp
+++ b/src/zenstore/compactcas.cpp
@@ -1664,19 +1664,21 @@ TEST_CASE("compactcas.threadedinsert")
 				HashKeySet		  Deleted;
 				GcStats			  Stats;
 				GcStoreCompactor* Compactor =
-					Pruner->RemoveUnreferencedData(Ctx, Stats, [&](std::span<IoHash> References) -> std::span<IoHash> {
-						std::vector<IoHash> Unreferenced;
-						HashKeySet			Retain;
+					Pruner->RemoveUnreferencedData(Ctx, Stats, [&](const std::span<IoHash> References) -> std::span<IoHash> {
+						HashKeySet Retain;
 						Retain.AddHashesToSet(KeepHashes);
+
+						auto WriteIt = References.begin();
 						for (const IoHash& ChunkHash : References)
 						{
 							if (!Retain.ContainsHash(ChunkHash))
 							{
-								Unreferenced.push_back(ChunkHash);
+								*WriteIt++ = ChunkHash;
 							}
 						}
-						Deleted.AddHashesToSet(Unreferenced);
-						return Unreferenced;
+						const std::span<IoHash> UnusedReferences = References.subspan(0, std::distance(References.begin(), WriteIt));
+						Deleted.AddHashesToSet(UnusedReferences);
+						return UnusedReferences;
 					});
 				if (Compactor)
 				{
-- 
cgit v1.2.3