This bug has been reported over 90d ago and is now eligible for a patch reward from any contributor. Please review general Patch Reward guidelines at g.co/prp if you'd like to contribute.

The reward for this fix being accepted upstream has been set at $300.

Original Report:

Hello graphviz team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
graphviz (tested with revision * master 510f40d71448f7b8df18df1c2c3520787fcdadc5).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

TL;DR instructions:
* `mkdir project`
* `cp Dockerfile /path/to/project`
* `docker build --no-cache /path/to/project`
* `docker run -it image_id_from_docker_build`

From another terminal, outside the container:
`docker cp /path/to/attached/reproducer running_container_hostname:/fuzzing/reproducer`
(reference: https://docs.docker.com/engine/reference/commandline/cp/)

And, back inside the container:
`/fuzzing/repro.sh /fuzzing/reproducer`

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

ASAN:DEADLYSIGNAL
=================================================================
==11==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7fc440d68cc0 bp 0x7ffd25eda360 sp 0x7ffd25eda300 T0)
==11==The signal is caused by a READ memory access.
==11==Hint: address points to the zero page.
#0 0x7fc440d68cbf in rebuild_vlists /fuzzing/graphviz/lib/dotgen/conc.c:162:32
#1 0x7fc440d6935c in rebuild_vlists /fuzzing/graphviz/lib/dotgen/conc.c:194:2
#2 0x7fc440d6707c in dot_concentrate /fuzzing/graphviz/lib/dotgen/conc.c:242:2
#3 0x7fc440d88943 in dot_position /fuzzing/graphviz/lib/dotgen/position.c:127:2
#4 0x7fc440d74a16 in dotLayout /fuzzing/graphviz/lib/dotgen/dotinit.c:326:9
#5 0x7fc440d74117 in doDot /fuzzing/graphviz/lib/dotgen/dotinit.c:463:2
#6 0x7fc440d74019 in dot_layout /fuzzing/graphviz/lib/dotgen/dotinit.c:509:22
#7 0x7fc441786ac3 in gvLayoutJobs /fuzzing/graphviz/lib/gvc/gvlayout.c:85:2
#8 0x7fc441797c43 in gvLayout /fuzzing/graphviz/lib/gvc/gvc.c:65:9
#9 0x51d62b in LLVMFuzzerTestOneInput /fuzzing/graphviz/./fuzzer.cc:13:18
#10 0x50f9cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/graphviz/fuzzer+0x50f9cc)
#11 0x50f18e in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) (/fuzzing/graphviz/fuzzer+0x50f18e)
#12 0x508fed in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) (/fuzzing/graphviz/fuzzer+0x508fed)
#13 0x50a4bf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/graphviz/fuzzer+0x50a4bf)
#14 0x508e9c in main (/fuzzing/graphviz/fuzzer+0x508e9c)
#15 0x7fc43f7232b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#16 0x41e5a9 in _start (/fuzzing/graphviz/fuzzer+0x41e5a9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /fuzzing/graphviz/lib/dotgen/conc.c:162:32 in rebuild_vlists
==11==ABORTING

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team