From d7c88780e1df54f34563d60bd7fa01011d2eef03 Mon Sep 17 00:00:00 2001
From: chenluhua1980 <Chenluhua@qq.com>
Date: 星期一, 26 一月 2026 23:17:17 +0800
Subject: [PATCH] 1.CSVData.cpp 里 unserialize 用了 8*2、125*2，但 serialize 只写 8 + 125 字节。 m_svRawData.insert 的 end 指针是 pszBuffer + 125*2，没有用 index 计算，可能把无效区域一起拷进去。 一旦 size 实际是 133（不是 266），就会直接越界，堆会被破坏，m_svDatas.clear() 在销毁元素时崩。

---
 SourceCode/Bond/Servo/CMaster.cpp |   14 +++++++-------
 1 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/SourceCode/Bond/Servo/CMaster.cpp b/SourceCode/Bond/Servo/CMaster.cpp
index f51c969..c17be6b 100644
--- a/SourceCode/Bond/Servo/CMaster.cpp
+++ b/SourceCode/Bond/Servo/CMaster.cpp
@@ -119,13 +119,6 @@
 			m_hEventDispatchThreadExit[1] = nullptr;
 		}
 
-		// 閲婃斁浜哄伐鎼嚭缂撳啿鍖洪噷鐨勭幓鐠�
-		for (auto* pGlass : m_bufGlass) {
-			if (pGlass != nullptr) {
-				pGlass->release();
-			}
-		}
-		m_bufGlass.clear();
 
 		DeleteCriticalSection(&m_criticalSection);
 	}
@@ -344,6 +337,13 @@
 		}
 		m_listEquipment.clear();
 
+		// release manual-remove buffer before glass pool is torn down
+		for (auto* pGlass : m_bufGlass) {
+			if (pGlass != nullptr) {
+				pGlass->release();
+			}
+		}
+		m_bufGlass.clear();
 
 		if (m_pCollector != nullptr) {
 			m_pCollector->stopLoop();

--
Gitblit v1.9.3