https://issues.dlang.org/show_bug.cgi?id=18717
Issue ID: 18717
Summary: Segfault in BitManip
Product: D
Version: D2
Hardware: x86_64
OS: Linux
Status: NEW
Severity: normal
Priority: P1
Component: phobos
Assignee: nob...@puremagic.com
Reporter: cpic...@openmailbox.org
The following program segfaults with dmd v2.079.0 when compiled with no
arguments in x86_64:
```
import std.bitmanip;
void main(string[] args) {
auto barray = BitArray();
ulong evilVal = 2534886795;
barray.length = evilVal + 1;
barray[evilVal];
}
```
The segfault happens there:
╭ (fcn) sym._D4core5bitop2btFNaNbNixPmmZi 13
│ sym._D4core5bitop2btFNaNbNixPmmZi ();
│ 0x5558709cde6c 55 push rbp
│ 0x5558709cde6d 488bec mov rbp, rsp
| ;-- rip:
│ 0x5558709cde70 0fa33e bt dword [rsi], edi
│ 0x5558709cde73 19c0 sbb eax, eax
│ 0x5558709cde75 f7d8 neg eax
│ 0x5558709cde77 5d pop rbp
╰ 0x5558709cde78 c3 ret
0x5558709cde79 0000 add byte [rax], al
0x5558709cde7b ~ 005548 add byte [rbp + 0x48], dl
At that point we have:
rsi = 0x7f40163e2010 -> our BitArray
rdi = 0x97174d8b -> "evilVal"
A look at /proc/*/maps shows that the call falls into that section:
0x00007f40163e2000 # 0x00007f4032928000 - usr 453.3M s -rw- unk1 unk1
IIUC this is what was allocated for our BitArray. However this isn't enough as
0x00007f4032928000 - 0x00007f40163e2000 < 2534886795.
Therefore my understanding is that not enough memory was allocated to hold the
BitArray even though we specified a length strictly greater than the index we
are accessing.
--
