[2019-12-17] - CVE-2019-19847

Stack-based buffer overflow in the spiro_to_bpath0() function, in spiro.c.

In the test suite, call-test14 to call-test19 all trigger the same issue.

The issue can be triggered as follow:

```
./configure CFLAGS="-fsanitize=address"
make
./tests/call-test14
```

```
=================================================================
==1829==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcf5a2c938 at pc 0x7fdc1174d487 bp 0x7ffcf5a2c450 sp 0x7ffcf5a2c448
WRITE of size 8 at 0x7ffcf5a2c938 thread T0
    #0 0x7fdc1174d486 in spiro_to_bpath0 /home/fcambus/libspiro-20190731/spiro.c:1182:11
    #1 0x4c9ea0 in test_curve /home/fcambus/libspiro-20190731/tests/./call-test.c:666:5
    #2 0x4ca119 in main /home/fcambus/libspiro-20190731/tests/./call-test.c:1172:9
    #3 0x7fdc1152e1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #4 0x41b31d in _start (/home/fcambus/libspiro-20190731/tests/.libs/call-test14+0x41b31d)

Address 0x7ffcf5a2c938 is located in stack of thread T0 at offset 632 in frame
    #0 0x4c832f in test_curve /home/fcambus/libspiro-20190731/tests/./call-test.c:536

  This frame has 3 object(s):
    [32, 416) 'spiro' (line 537)
    [480, 548) 'nextknot' (line 538)
    [592, 632) 'd' (line 539) <== Memory access at offset 632 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/fcambus/libspiro-20190731/spiro.c:1182:11 in spiro_to_bpath0
Shadow bytes around the buggy address:
  0x10001eb3d8d0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
  0x10001eb3d8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001eb3d8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001eb3d900: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x10001eb3d910: f2 f2 f2 f2 00 00 00 00 00 00 00 00 04 f2 f2 f2
=>0x10001eb3d920: f2 f2 00 00 00 00 00[f3]f3 f3 f3 f3 00 00 00 00
  0x10001eb3d930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001eb3d940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001eb3d950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001eb3d960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001eb3d970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1829==ABORTING
```