The statement string += strlen ((char *) string) - strlen ((char *) glob); in function FcConfigGlobMatch, line 1974 of fccfg.c http://cgit.freedesktop.org/fontconfig/tree/src/fccfg.c?id=2.8.0#n1974 updates pointer 'string' to point in memory to a lower address than start of the buffer if strlen(glob) > strlen(string). This causes the following line while (*string) to read and act on random data located in memory before the buffer pointer string originally pointed to.
Thanks for catching this up. this may causes a segfault in the worst case, in strlen() when string points to the invalid address and contain '*'. That may be hard to reproduce a crash though, it could be done by adjusting the length of the string in glob element.
Fixed in 71b14d64.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.