Address similar issue to #86

buffer/blit could trigger a use after free if a buffer is
blitted with itself and modifies its length.

src/core/buffer.c

@@ -296,6 +296,7 @@ static Janet cfun_buffer_blit(int32_t argc, Janet *argv) {
     janet_arity(argc, 2, 5);
     JanetBuffer *dest = janet_getbuffer(argv, 0);
     JanetByteView src = janet_getbytes(argv, 1);
+    int same_buf = src.bytes == dest->data;
     int32_t offset_dest = 0;
     int32_t offset_src = 0;
     if (argc > 2)
@@ -314,6 +315,7 @@ static Janet cfun_buffer_blit(int32_t argc, Janet *argv) {
     if (last > INT32_MAX)
         janet_panic("buffer blit out of range");
     janet_buffer_ensure(dest, (int32_t) last, 2);
+    if (same_buf) src.bytes = dest->data;
     if (last > dest->count) dest->count = (int32_t) last;
     memcpy(dest->data + offset_dest, src.bytes + offset_src, length_src);
     return argv[0];

test/suite2.janet

@@ -46,6 +46,14 @@
 
 (assert (= txs '[[-1 -1] [-1 0] [-1 1] [0 -1] [0 1] [1 -1] [1 0] [1 1]]) "nested seq")
 
+# Buffer self blitting, check for use after free
+(def buf1 @"1234567890")
+(buffer/blit buf1 buf1 -1)
+(buffer/blit buf1 buf1 -1)
+(buffer/blit buf1 buf1 -1)
+(buffer/blit buf1 buf1 -1)
+(assert (= (string buf1) (string/repeat "1234567890" 16)) "buffer blit against self")
+
 # Generators
 (def gen (generate [x :range [0 100] :when (pos? (% x 4))] x))
 (var gencount 0)