From 6b796b3d2a047095c84ababef90d2db3b7f17793 Mon Sep 17 00:00:00 2001
From: Paulo Cesar Pereira de Andrade <pcpa@mandriva.com>
Date: Wed, 13 Feb 2008 02:08:14 -0200
Subject: [PATCH] Fix an incorrect buffer size calculation and allocation.

---
 lisp/io.c |   16 ++++++++++++----
 1 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/lisp/io.c b/lisp/io.c
index 56da49b..3a33855 100644
--- a/lisp/io.c
+++ b/lisp/io.c
@@ -633,26 +633,34 @@ LispFwrite(LispFile *file, void *data, int size)
 int
 LispSwrite(LispString *string, void *data, int size)
 {
+    int bytes;
+
     if (size < 0)
 	return (EOF);
 
     if (string->output + size >= string->space) {
 	if (string->fixed) {
 	    /* leave space for a ending nul character */
-	    size = string->space - string->output - 1;
+	    bytes = string->space - string->output - 1;
+
+	    if (bytes < size)
+		size = bytes;
 
 	    if (size <= 0)
 		return (-1);
 	}
 	else {
-	    char *tmp = realloc(string->string, string->space +
-				(size / pagesize) * pagesize + pagesize);
+	    char *tmp;
+
+	    bytes = string->space + size;
+	    bytes += pagesize - (bytes % pagesize);
+	    tmp = realloc(string->string, bytes);
 
 	    if (tmp == NULL)
 		return (-1);
 
 	    string->string = tmp;
-	    string->space += pagesize;
+	    string->space = bytes;
 	}
     }
     memcpy(string->string + string->output, data, size);
-- 
1.5.3.2