APPROVE COMMIT NOTE: This patch has been committed. src/ChangeLog addition: 2006-05-21 Aidan Kehoe <kehoea(a)parhasard.net&gt; * doc.c (extract_object_file_name): * doc.c (unparesseuxify_doc_string): Leave sufficient space for the '\0' sentinel when reading into the buffer. The bug in unparesseuxify_doc_string had been there for ten years at least, but it was Fabrice Popineau's investigation of the code on the same model in extract_object_file_name that provoked its discovery. Thank you Fabrice! XEmacs Trunk source patch: Diff command: cvs -q diff -u Files affected: src/doc.c Index: src/doc.c =================================================================== RCS file: /pack/xemacscvs/XEmacs/xemacs/src/doc.c,v retrieving revision 1.37 diff -u -u -r1.37 doc.c --- src/doc.c 2006/05/07 14:20:36 1.37 +++ src/doc.c 2006/05/21 18:30:25 ＠＠ -49,7 +49,7 ＠＠ { Ibyte buf[DOC_MAX_FILENAME_LENGTH+1]; Ibyte *buffer = buf; - int buffer_size = sizeof (buf), space_left; + int buffer_size = sizeof (buf) - 1, space_left; Ibyte *from, *to; REGISTER Ibyte *p = buffer; Lisp_Object return_me; ＠＠ -59,8 +59,8 ＠＠ GCPRO2 (fdstream, instream); - position = doc_pos > DOC_MAX_FILENAME_LENGTH ? - doc_pos - DOC_MAX_FILENAME_LENGTH : 0; + position = doc_pos > buffer_size ? + doc_pos - buffer_size : 0; if (0 > lseek (fd, position, 0)) { ＠＠ -168,7 +168,7 ＠＠ { Ibyte buf[512 * 32 + 1]; Ibyte *buffer = buf; - int buffer_size = sizeof (buf); + int buffer_size = sizeof (buf) - 1; Ibyte *from, *to; REGISTER Ibyte *p = buffer; Lisp_Object return_me; ＠＠ -215,13 +215,15 ＠＠ if (space_left == 0) { Ibyte *old_buffer = buffer; + buffer_size *= 2; + if (buffer == buf) { - buffer = xnew_ibytes (buffer_size *= 2); + buffer = xnew_ibytes (buffer_size + 1); memcpy (buffer, old_buffer, p - old_buffer); } else - XREALLOC_ARRAY (buffer, Ibyte, buffer_size *= 2); + XREALLOC_ARRAY (buffer, Ibyte, buffer_size + 1); p += buffer - old_buffer; space_left = buffer_size - (p - buffer); } -- Aidan Kehoe, http://www.parhasard.net/