Hello,

the function path_norm() from libauparse.so in audit-4.1.1 still reads one byte below the allocated "working" buffer and triggers AddressSanitizer and valgrind reports for inputs like "a/../.." or "a/.././..".

Attached is a test that produces the asan report.

Process paths like these were generated when processing audit syscall events for clone and probably others.

Most of the read underruns in path_norm() were fixed in 2025 and the issue mentioned above is apparently the only one remaining in that code.

Would replacing the while loop with the code below ensure that path_norm does not read below the "working" buffer ?

- while (dest > rpath && (--dest)[-1] != '/');

+ char *slash = (char *)memrchr(rpath, '/', dest - rpath);
+ if (slash)
+ dest = (slash == rpath) ? (rpath + 1) : slash;
+ else
+ dest = rpath;

Regards,
Bogdan Harjoc