Fix bug #12196 with incorrect memory allocations for region-cache.

 src/region-cache.c (move_cache_gap): Update gap_len using the actual
 growth of the boundaries array.  Do not change cache_len.

diff --git a/src/ChangeLog b/src/ChangeLog
index eb19fad9abe80adc6ba853eb5875d2538651a2ca..20e5e4bdfbbb985c5083b55305cba745b52cbda6 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,9 @@
+2012-08-15  Eli Zaretskii  <eliz@gnu.org>
+
+       * region-cache.c (move_cache_gap): Update gap_len using the actual
+       growth of the boundaries array.  Do not change cache_len.
+       (Bug#12196)
+
 2012-08-15  Dmitry Antipov  <dmantipov@yandex.ru>
 
        Generalize and cleanup font subsystem checks.

diff --git a/src/region-cache.c b/src/region-cache.c
index 14b6233a5a5c892077ee5a6e44a423f13e3e9a2c..d2bba8c11b2fb2ac1bbc4d9ceea679e2902b6c73 100644 (file)
--- a/src/region-cache.c
+++ b/src/region-cache.c
@@ -245,16 +245,16 @@ move_cache_gap (struct region_cache *c, ptrdiff_t pos, ptrdiff_t min_size)
      when the portion after the gap is smallest.  */
   if (gap_len < min_size)
     {
-      ptrdiff_t i;
+      ptrdiff_t i, nboundaries = c->cache_len;
 
       c->boundaries =
-       xpalloc (c->boundaries, &c->cache_len, min_size, -1,
+       xpalloc (c->boundaries, &nboundaries, min_size - gap_len, -1,
                 sizeof *c->boundaries);
 
       /* Some systems don't provide a version of the copy routine that
          can be trusted to shift memory upward into an overlapping
          region.  memmove isn't widely available.  */
-      min_size -= gap_len;
+      min_size = nboundaries - c->cache_len - gap_len;
       for (i = c->cache_len - 1; i >= gap_start; i--)
         {
           c->boundaries[i + min_size].pos   = c->boundaries[i + gap_len].pos;