Internet Bug Bounty: CVE-2017-11367: Global buffer overflow (READ of size 4) in shoco C library

The shoco_decompress function in the API in shoco through 2017-07-17 allows remote attackers to cause a denial of service (buffer over-read and application crash) via malformed compressed data. The vendor has been unresponsive since this was reported in February of 2017.

==19039==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000004d0548 at pc 0x0000004bfdda bp 0x7ffd2945a650 sp 0x7ffd2945a648
READ of size 4 at 0x0000004d0548 thread T0
    #0 0x4bfdd9 in shoco_decompress (/root/shoco/shoco+0x4bfdd9)
    #1 0x4c017c in main (/root/shoco/shoco+0x4c017c)
    #2 0x7f542c310b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
    #3 0x4bd56c in _start (/root/shoco/shoco+0x4bd56c)

0x0000004d0548 is located 24 bytes to the left of global variable 'chrs_by_chr_and_successor_id' defined in './shoco_model.h:58:21' (0x4d0560) of size 1328
0x0000004d0548 is located 8 bytes to the right of global variable 'chrs_by_chr_id' defined in './shoco_model.h:15:19' (0x4d0520) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 shoco_decompress

Original bug report: https://github.com/Ed-von-Schleck/shoco/issues/28
CVE Advisory: https://vulners.com/cve/CVE-2017-11367

I understand this probably isn’t worthy of a bounty, but the reputation points for a resolved report are always nice.