https://issues.dlang.org/show_bug.cgi?id=16470
Issue ID: 16470
Summary: Segfault with negative array length
Product: D
Version: D2
Hardware: x86
OS: Linux
Status: NEW
Severity: normal
Priority: P1
Component: druntime
Assignee: [email protected]
Reporter: [email protected]
The following segfaults when compiled with DMDv2.071.1 (x86 and x86_64, no
flag):
void main() {
ubyte[] buf;
buf.length = -1;
}
Here is the relevant GDB backtrace:
#0 0xb7c1708a in __memset_sse2_rep () from /usr/lib/libc.so.6
#1 0x080f51d6 in _d_arraysetlengthT ()
While I do not argue that setting a negative length is meaningless an Error
should be thrown instead of segfaulting.
This was found while fuzzing arsd/png.d with afl (American Fuzzy Loop).
--
