There is also definitely a use-after-free if you call _Unwind_DeleteException in your personality before returning _URC_INSTALL_CONTEXT (which you should, if you don't want to leak and your landing pad doesn't call it). I'm not sure though how to fix it. It seems the problem that register 0 is ignored is present throughout the whole file and it seems that a proper fix gets a little bit more complicated.
-- Jonathan
