Fix bug #12196 with incorrect memory allocations for region-cache.

 src/region-cache.c (move_cache_gap): Update gap_len using the actual
 growth of the boundaries array.  Do not change cache_len.

2 files changed, 9 insertions, 3 deletions

diff --git a/src/ChangeLog b/src/ChangeLog
index eb19fad9abe..20e5e4bdfbb 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,9 @@
+2012-08-15  Eli Zaretskii  <eliz@gnu.org>
+
+        * region-cache.c (move_cache_gap): Update gap_len using the actual
+        growth of the boundaries array.  Do not change cache_len.
+        (Bug#12196)
+
 2012-08-15  Dmitry Antipov  <dmantipov@yandex.ru>
 
         Generalize and cleanup font subsystem checks.
diff --git a/src/region-cache.c b/src/region-cache.c
index 14b6233a5a5..d2bba8c11b2 100644
--- a/src/region-cache.c
+++ b/src/region-cache.c
@@ -245,16 +245,16 @@ move_cache_gap (struct region_cache *c, ptrdiff_t pos, ptrdiff_t min_size)
      when the portion after the gap is smallest.  */
   if (gap_len < min_size)
     {
-      ptrdiff_t i;
+      ptrdiff_t i, nboundaries = c->cache_len;
 
       c->boundaries =
-        xpalloc (c->boundaries, &c->cache_len, min_size, -1,
+        xpalloc (c->boundaries, &nboundaries, min_size - gap_len, -1,
                  sizeof *c->boundaries);
 
       /* Some systems don't provide a version of the copy routine that
          can be trusted to shift memory upward into an overlapping
          region.  memmove isn't widely available.  */
-      min_size -= gap_len;
+      min_size = nboundaries - c->cache_len - gap_len;
       for (i = c->cache_len - 1; i >= gap_start; i--)
         {
           c->boundaries[i + min_size].pos   = c->boundaries[i + gap_len].pos;