ERROR - segmentation fault - malloc_consolidate

[EnchantedJohn]

I found the second Error。Server:Ubuntu 14.04.5 LTS using AFL fuzzing 。
The error is the following。

(gdb) run -e crashes/id:000120,sig:11,src:000411,op:havoc,rep:2 test8.flif
Starting program: /home/lx/5_7/flif/flif/src/flif -e crashes/id:000120,sig:11,src:000411,op:havoc,rep:2 test8.flif
Warning: expected ".png", ".pnm" or ".pam" file name extension for input file, trying anyway...

Program received signal SIGSEGV, Segmentation fault.
malloc_consolidate (av=av@entry=0x7ffff7683760 <main_arena>) at malloc.c:4151
4151 malloc.c: No such file or directory.

[EnchantedJohn]

(gdb) x/i $pc
=> 0x7ffff733f7d9 <malloc_consolidate+281>: mov 0x8(%rbx),%rax
(gdb) i r
rax 0xd06090 13656208
rbx 0x400000003 17179869187
rcx 0xd06380 13656960
rdx 0x61 97
rsi 0xc198 49560
rdi 0x7ffff7683760 140737344190304
rbp 0xd06250 0xd06250
rsp 0x7fffffffd8b0 0x7fffffffd8b0
r8 0x3 3
r9 0x7ffff76837b8 140737344190392
r10 0x7ffff7683770 140737344190320
r11 0x246 582
r12 0x60 96
r13 0x30 48
r14 0x400000003 17179869187
r15 0x7ffff7683760 140737344190304
rip 0x7ffff733f7d9 0x7ffff733f7d9 <malloc_consolidate+281>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0

[EnchantedJohn]

(gdb) bt
#0 malloc_consolidate (av=av@entry=0x7ffff7683760 <main_arena>) at malloc.c:4151
#1 0x00007ffff73418b8 in _int_malloc (av=0x7ffff7683760 <main_arena>, bytes=49560) at malloc.c:3425
#2 0x00007ffff7343ae0 in __GI___libc_malloc (bytes=49560) at malloc.c:2893
#3 0x00007ffff790b928 in operator new(unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#4 0x00000000006086d8 in allocate (this=0x7fffffffdb20, __n=3) at /usr/include/c++/4.9/ext/new_allocator.h:104
#5 allocate (__a=..., __n=3) at /usr/include/c++/4.9/bits/alloc_traits.h:488
#6 _M_allocate (this=0x7fffffffdb20, __n=3) at /usr/include/c++/4.9/bits/stl_vector.h:170
#7 _M_allocate_and_copy<PropertySymbolCoder<SimpleBitChance, RacDummy, 10>*> (this=0x7fffffffdb20, __last=0x0, __first=0x0, __n=3) at /usr/include/c++/4.9/bits/stl_vector.h:1224
#8 std::vector<PropertySymbolCoder<SimpleBitChance, RacDummy, 10>, std::allocator<PropertySymbolCoder<SimpleBitChance, RacDummy, 10> > >::reserve (this=this@entry=0x7fffffffdb20, __n=3)
at /usr/include/c++/4.9/bits/vector.tcc:75
#9 0x000000000063def7 in flif_encode_scanlines_pass<FileIO, RacDummy, PropertySymbolCoder<SimpleBitChance, RacDummy, 10> > (io=..., rac=..., images=std::vector of length 1, capacity 1 = {...},
ranges=ranges@entry=0xd06380, forest=std::vector of length 3, capacity 3 = {...}, repeats=repeats@entry=2, options=...) at flif-enc.cpp:105
#10 0x00000000006587bd in flif_encode_main<10, FileIO> (rac=..., io=..., images=std::vector of length 1, capacity 1 = {...}, ranges=ranges@entry=0xd06380, options=...) at flif-enc.cpp:717
#11 0x0000000000675e38 in flif_encode (io=..., images=std::vector of length 1, capacity 1 = {...}, transDesc=std::vector of length 6, capacity 8 = {...}, options=...) at flif-enc.cpp:1039
#12 0x000000000045ea4d in encode_flif (argc=, argv=0x7fffffffe320, images=std::vector of length 1, capacity 1 = {...}, options=...) at flif.cpp:344
#13 0x0000000000407c03 in main (argc=, argv=0x7fffffffe318) at flif.cpp:763

[EnchantedJohn]

(gdb) x/8i $pc
=> 0x7ffff733f7d9 <malloc_consolidate+281>: mov 0x8(%rbx),%rax
0x7ffff733f7dd <malloc_consolidate+285>: mov 0x10(%rbx),%r14
0x7ffff733f7e1 <malloc_consolidate+289>: mov %rax,%r12
0x7ffff733f7e4 <malloc_consolidate+292>: and $0xfffffffffffffffa,%r12
0x7ffff733f7e8 <malloc_consolidate+296>: lea (%rbx,%r12,1),%rbp
0x7ffff733f7ec <malloc_consolidate+300>: mov 0x8(%rbp),%r13
0x7ffff733f7f0 <malloc_consolidate+304>: and $0xfffffffffffffff8,%r13
0x7ffff733f7f4 <malloc_consolidate+308>: test $0x1,%al

[EnchantedJohn]

ASAN analyis report:
==30260==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ede4 at pc 0x5c36e2 bp 0x7ffdce44a690 sp 0x7ffdce44a688
WRITE of size 4 at 0x60300000ede4 thread T0
#0 0x5c36e1 in TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&) transform/palette_C.hpp:130
#1 0x72e7d8 in bool flif_encode(FileIO&, std::vector<Image, std::allocator >&, std::vector<std::string, std::allocatorstd::string > const&, flif_options&) /home/lx/5_7/ASAN/FLIF-master/src/flif-enc.cpp:914
#2 0x4acaf5 in encode_flif(int, char**, std::vector<Image, std::allocator >&, flif_options&) /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:344
#3 0x408c14 in main /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:763
#4 0x7f4f02baff44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#5 0x49f14f (/home/lx/5_7/ASAN/FLIF-master/src/flif+0x49f14f)

0x60300000ede4 is located 0 bytes to the right of 20-byte region [0x60300000edd0,0x60300000ede4)
allocated by thread T0 here:
#0 0x7f4f036fc15f in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5515f)
#1 0x5a4677 in std::allocator_traits<std::allocator >::allocate(std::allocator&, unsigned long) /usr/include/c++/4.9/bits/alloc_traits.h:488
#2 0x5a4677 in std::_Vector_base<int, std::allocator >::_M_allocate(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:170
#3 0x5a4677 in std::vector<int, std::allocator >::_M_default_append(unsigned long) /usr/include/c++/4.9/bits/vector.tcc:557
#4 0x5a4677 in std::vector<int, std::allocator >::resize(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:676

SUMMARY: AddressSanitizer: heap-buffer-overflow transform/palette_C.hpp:130 TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&)
Shadow bytes around the buggy address:
0x0c067fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa 00 00[04]fa fa fa
0x0c067fff9dc0: fd fd fd fd fa fa 00 00 00 fa fa fa 00 00 00 00
0x0c067fff9dd0: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa 00 00
0x0c067fff9de0: 00 07 fa fa fd fd fd fd fa fa 00 00 00 06 fa fa
0x0c067fff9df0: 00 00 00 00 fa fa 00 00 00 07 fa fa 00 00 00 06
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==30260==ABORTING