In poking around in Phobos, I found a number of cases like:
https://github.com/dlang/phobos/pull/4655where overflow is possible in calculating storage sizes. Since allocation normally happens in @trusted code, these are a safety/security hole.
When reviewing Phobos submissions, please check for this sort of thing. https://wiki.dlang.org/Get_involved#Review_pull_requests