diff --git a/ChangeLog b/ChangeLog
index d70544a412345c8214c38a265c2a6bca928c1a97..136d3be72691070507d93d5da306f9fe77d947fb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -141,6 +141,9 @@ CVS code -
   do_statusbar_output()
 	- Don't set answer_len until after it's been asserted that
 	  answer isn't NULL. (DLR)
+  display_string()
+	- Avoid a memory corruption problem by allocating enough space
+	  for len plus a trailing multibyte character and/or tab. (DLR)
   nanogetstr()
 	- Rename variable def to curranswer to avoid confusion. (DLR)
 	- Only declare and use the tabbed variable if DISABLE_TABCOMP
diff --git a/src/winio.c b/src/winio.c
index 22128bd614bae990a638b9dbd3b96896d7d2b286..865c514ae3fabc8ba366e6b55af381c51e37d8d9 100644
--- a/src/winio.c
+++ b/src/winio.c
@@ -2254,9 +2254,9 @@ char *display_string(const char *buf, size_t start_col, size_t len, bool
 
     assert(column <= start_col);
 
-    /* Allocate enough space for the entire line.  It should contain
-     * (len + 2) multibyte characters at most. */
-    alloc_len = mb_cur_max() * (len + 2);
+    /* Allocate enough space for the entire line, accounting for a
+     * trailing multibyte character and/or tab. */
+    alloc_len = (mb_cur_max() * (len + 1)) + tabsize;
 
     converted = charalloc(alloc_len + 1);
     index = 0;