D issues are now tracked on GitHub. This Bugzilla instance remains as a read-only archive.
Issue 16469 - Segmentation fault in bigAlloc with negative size
Summary: Segmentation fault in bigAlloc with negative size
Status: RESOLVED DUPLICATE of issue 16470
Alias: None
Product: D
Classification: Unclassified
Component: druntime (show other issues)
Version: D2
Hardware: x86 Linux
: P1 normal
Assignee: No Owner
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-05 20:23 UTC by Cédric Picard
Modified: 2016-09-06 15:02 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Cédric Picard 2016-09-05 20:23:32 UTC 
The following snippet segfaults with DMD 2.071.1 when compiled with no flag:

    void main() {
        auto buf = new ubytes[-18];
    }

For some reasons values between 0 and -17 cause OutOfMemoryError but no segfault.

This was found while fuzzing arsd/png.d with afl (American Fuzzy Loop).
Comment 1 Lodovico Giaretta 2016-09-06 12:30:30 UTC 

*** This issue has been marked as a duplicate of issue 16470 ***
Comment 2 Cédric Picard 2016-09-06 14:54:49 UTC 
Is it a duplicate? Judging only from gdb backtrace those are different issues. I haven't checked in druntime though.
Comment 3 Lodovico Giaretta 2016-09-06 15:02:14 UTC 
(In reply to Cédric Picard from comment #2)
> Is it a duplicate? Judging only from gdb backtrace those are different
> issues. I haven't checked in druntime though.

As in the other issue, the problem is that a negative constant becomes a huge size_t value, which should trigger an OutOfMemoryError, but segfaults instead.
So IMHO it's the same issue. It may well be that the druntime presents the wrong code in two different places, but it is probably two copies of the same logic, as enlarging (not in place) and allocating perform the same checks and the same steps.

But of course anybody is free to reopen this if it's deemed necessary.