Index: src/OFObject.m
==================================================================
--- src/OFObject.m
+++ src/OFObject.m
@@ -67,12 +67,12 @@
 	of_spinlock_t retainCountSpinlock;
 #endif
 };
 
 struct pre_mem {
-	id owner;
 	struct pre_mem *prev, *next;
+	id owner;
 };
 
 #define PRE_IVAR_ALIGN ((sizeof(struct pre_ivar) + \
 	(__BIGGEST_ALIGNMENT__ - 1)) & ~(__BIGGEST_ALIGNMENT__ - 1))
 #define PRE_IVAR ((struct pre_ivar*)(void*)((char*)self - PRE_IVAR_ALIGN))
@@ -986,10 +986,17 @@
 
 	iter = PRE_IVAR->firstMem;
 	while (iter != NULL) {
 		struct pre_mem *next = iter->next;
 
+		/*
+		 * We can use owner as a sentinel to prevent exploitation in
+		 * case there is a buffer underflow somewhere.
+		 */
+		if (iter->owner != self)
+			abort();
+
 		free(iter);
 
 		iter = next;
 	}