Now that the heap tail check is more or less working, I'm on to implementing protection against double frees and use-after-free for recently freed blocks. The idea is that HEAP_MakeInUseBlockFree() will take the block it's called with, push it onto a FIFO, pull an old block off the FIFO, and mark that old block free. The blocks languishing in the FIFO will be marked inaccessible. If you try to free one, realloc one, or even get its size, you'll get an immediate error; if you write to one, you'll get an error when it comes out of the FIFO or when the heap is validated; and if you're running Valgrind, you'll get an immediate error on read or write to the freed block. The FIFO will be drained when the heap is destroyed. It will be implemented using a standard wine list in an optional fixed-sized block at the tail of each allocation.

Remind me again why we didn't do this years ago...