string += strlen ((char *) string) - strlen ((char *) glob);
in function FcConfigGlobMatch, line 1974 of fccfg.c
http://cgit.freedesktop.org/fontconfig/tree/src/fccfg.c?id=2.8.0#n1974 updates pointer 'string' to point in memory to a lower address than start of the buffer if strlen(glob) > strlen(string). This causes the following line
to read and act on random data located in memory before the buffer pointer string originally pointed to.
Thanks for catching this up. this may causes a segfault in the worst case, in strlen() when string points to the invalid address and contain '*'.
That may be hard to reproduce a crash though, it could be done by adjusting the length of the string in glob element.
Fixed in 71b14d64.