Line 644 of src/sandbox.c calls xrealloc and tests the return value for NULL, but if it is non-NULL the new value is discarded. If it is in fact different from the value that was passed in, the code will write into the old, now-invalid memory area and cause arbitrary errors, crashes, etc.
Created attachment 165946 [details, diff] sandbox-1.2.20_alpha2-realloc.patch Fix.
thanks, ive committed your fix to svn