The problems below were detected by the AddressSanitizer  feature of LLVM which new-ish clang and gcc versions have a flag to enable. It’s basically like valgrind, but not an external tool and also faster. This should make it easy to integrate in to the existing automated test suites for Bro (though I’ll probably have to increase timeouts for time-sensitive tests by 2x).
It also comes with a LeakSanitizer feature to detect memory leaks, but it’s labeled experimental and only supported on x86_64 Linux at the moment. Worked well for me, though, and the performance claims are interesting: no additional slowdown when used w/ ASan, and minimal performance cost if linked in independently.