Bug 16470 – Segfault with negative array length

The following segfaults when compiled with DMDv2.071.1 (x86 and x86_64, no flag): void main() { ubyte[] buf; buf.length = -1; } Here is the relevant GDB backtrace: #0 0xb7c1708a in __memset_sse2_rep () from /usr/lib/libc.so.6 #1 0x080f51d6 in _d_arraysetlengthT () While I do not argue that setting a negative length is meaningless an Error should be thrown instead of segfaulting. This was found while fuzzing arsd/png.d with afl (American Fuzzy Loop).

There's no such thing as a negative length. -1 becomes size_t.max. Still shouldn't segfault, though. Should throw an OutOfMemoryError.

*** Issue 16469 has been marked as a duplicate of this issue. ***

This is caused by not-so-wise decision to to allow the implicit conversion from {int,long} to u{int,long} (but not for {byte,short} to u{byte,short}, go figure) so even though it is possible to catch this error at compile time a blind eye is turned instead.

I made this PR a long ago, but received no attention: https://github.com/dlang/druntime/pull/1675

Commit pushed to master at https://github.com/dlang/druntime https://github.com/dlang/druntime/commit/2d38937e3ff6597a143e83cf2d2d38c76b117d56 Fix issue 16470: Segfault with negative array length If the array length is too large, and the element size small enough, the overflow might go undetected in the check while multiplying array size and element size, but it can later manifest when adding padding, etc. https://issues.dlang.org/show_bug.cgi?id=16470

Commit pushed to newCTFE at https://github.com/dlang/druntime https://github.com/dlang/druntime/commit/2d38937e3ff6597a143e83cf2d2d38c76b117d56 Fix issue 16470: Segfault with negative array length

Commit pushed to stable at https://github.com/dlang/druntime https://github.com/dlang/druntime/commit/2d38937e3ff6597a143e83cf2d2d38c76b117d56 Fix issue 16470: Segfault with negative array length