FWIW, I applied most of your patches, though some I squashed since you just introduced the bugs in a previous non-applied patch ... :) Regarding the fuzzing ... how long did you run this? I adjusted this to afl-clang-fast (afl++, not the original) and it's not finding much easily... I guess making it realloc each element into a separate buffer so that it's checking out-of-bounds for each element separately will help somewhat, let's see... johannes
