When ContentLine_Analyzer:oDeliverOnce is called with a value of "\nfalse\r\n----WebkitFormBoundary" and last_char was set to '\r' in a previous call, buf is set to \0 at index -1.
I think a fix would be to check the offset in the EMIT_LINE macro to be > 0.
Sadly I can not share the original trace which triggers the segfault. If this report is not enough I can spend some more time trying to create a test trace.
FreeBSD 10.3 RELEASE
Yup, can reproduce - I will post a patch here in a bit.
This is updated in master and we released Bro 2.5.2 to address it. Patch at https://github.com/bro/bro/commit/6c0f101a62489b1c5927b4ed63b0e1d37db40282
Thanks a lot for reporting this and for answering questions.
Thanks for the fix. I hope I can provide a more thorough report next time.
I can reproduce this behaviour with the pcap I added above. I also added the ASAN backtrace of the execution of Bro with that pcap. Hope this can help for testing (even if the problem is solved).
This was assigned CVE-2017-1000458.