Bug 16469 – Segmentation fault in bigAlloc with negative size
Status
RESOLVED
Resolution
DUPLICATE
Severity
normal
Priority
P1
Component
druntime
Product
D
Version
D2
Platform
x86
OS
Linux
Creation time
2016-09-05T20:23:00Z
Last change time
2016-09-06T15:02:14Z
Assigned to
nobody
Creator
cpicard
Comments
Comment #0 by cpicard — 2016-09-05T20:23:32Z
The following snippet segfaults with DMD 2.071.1 when compiled with no flag:
void main() {
auto buf = new ubytes[-18];
}
For some reasons values between 0 and -17 cause OutOfMemoryError but no segfault.
This was found while fuzzing arsd/png.d with afl (American Fuzzy Loop).
Comment #1 by lodovico — 2016-09-06T12:30:30Z
*** This issue has been marked as a duplicate of issue 16470 ***
Comment #2 by cpicard — 2016-09-06T14:54:49Z
Is it a duplicate? Judging only from gdb backtrace those are different issues. I haven't checked in druntime though.
Comment #3 by lodovico — 2016-09-06T15:02:14Z
(In reply to Cédric Picard from comment #2)
> Is it a duplicate? Judging only from gdb backtrace those are different
> issues. I haven't checked in druntime though.
As in the other issue, the problem is that a negative constant becomes a huge size_t value, which should trigger an OutOfMemoryError, but segfaults instead.
So IMHO it's the same issue. It may well be that the druntime presents the wrong code in two different places, but it is probably two copies of the same logic, as enlarging (not in place) and allocating perform the same checks and the same steps.
But of course anybody is free to reopen this if it's deemed necessary.