FYI, found while working on #2352. When we add #HEAP_ADMIN_SPACE to the user requested size, no carry check is done, and if user asks for a 65535 byte buffer, we'll "add" .sizeof(usedblock) (4) to it, get a new size of 3, and happily allocate #HEAP_MIN_BLOCKSIZE (6 bytes).
Same for realloc.