On 19/03/2026 3:07 pm, Chris Down wrote:
Chris Down writes:
escape_chars() computes the post-escaping buffer size as len + pattern_chars, but unfortunately never accounts for the null terminator it unconditionally writes afterwards. That means that when pacman-conf applies --sysroot to an Include directive and that sysroot path contains a character that also happens to be a glob metacharacter, the null terminator is written one byte past the end of the allocation.
Fix both the overflow guard and the malloc size so the terminator always falls within the allocated region.
The off by one write is reliably caught by ASAN, so add a dedicated TAP test to prevent regressions.
Fixes: 7016adcb7035 ("manually apply --sysroot to configuration")
Of course I forgot to put the Signed-off-by ;-)
When committing please feel free to add:
Signed-off-by: Chris Down <chris@chrisdown.name>
Patches sent to the mailing list get lost. Please submit to gitlab: https://gitlab.archlinux.org/pacman/pacman/