From d29b9d5bd68cc1e428e44ea45d7de30dbb0272c1 Mon Sep 17 00:00:00 2001
From: David Lawrence Ramsey <pooka109@gmail.com>
Date: Mon, 6 Jun 2005 03:17:07 +0000
Subject: [PATCH] fix another memory corruption problem in display_string()
 found by valgrind

git-svn-id: svn://svn.savannah.gnu.org/nano/trunk/nano@2598 35c25a1d-7b9e-4130-9fde-d3aeb78583b8
---
 ChangeLog   | 3 +++
 src/winio.c | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index d70544a4..136d3be7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -141,6 +141,9 @@ CVS code -
   do_statusbar_output()
 	- Don't set answer_len until after it's been asserted that
 	  answer isn't NULL. (DLR)
+  display_string()
+	- Avoid a memory corruption problem by allocating enough space
+	  for len plus a trailing multibyte character and/or tab. (DLR)
   nanogetstr()
 	- Rename variable def to curranswer to avoid confusion. (DLR)
 	- Only declare and use the tabbed variable if DISABLE_TABCOMP
diff --git a/src/winio.c b/src/winio.c
index 22128bd6..865c514a 100644
--- a/src/winio.c
+++ b/src/winio.c
@@ -2254,9 +2254,9 @@ char *display_string(const char *buf, size_t start_col, size_t len, bool
 
     assert(column <= start_col);
 
-    /* Allocate enough space for the entire line.  It should contain
-     * (len + 2) multibyte characters at most. */
-    alloc_len = mb_cur_max() * (len + 2);
+    /* Allocate enough space for the entire line, accounting for a
+     * trailing multibyte character and/or tab. */
+    alloc_len = (mb_cur_max() * (len + 1)) + tabsize;
 
     converted = charalloc(alloc_len + 1);
     index = 0;
-- 
GitLab