AFAIU, the length is negative but it is then treated as an unsigned integer by vDSP_sveD. So the function iterates over the given vector until there is a memory exception (As the length is very close to to UINT_MAX). It doesn't look very exploitable to me but it is surely annoying. I've found it a bit odd that neither TStorageRange::SetStorageSubRange nor vDSP_sveD do any kind of sanity checks for the values they calculate or which are passed to them.
