--- a/src/ChangeLog	Sat May 20 21:51:10 2006 +0000
+++ b/src/ChangeLog	Sun May 21 18:35:31 2006 +0000
@@ -1,3 +1,13 @@
+2006-05-21  Aidan Kehoe  <kehoea@parhasard.net>
+
+	* doc.c (extract_object_file_name):
+	* doc.c (unparesseuxify_doc_string):
+	Leave sufficient space for the '\0' sentinel when reading into the
+	buffer.  The bug in unparesseuxify_doc_string had been there for
+	ten years at least, but it was Fabrice Popineau's investigation of
+	the code on the same model in extract_object_file_name that
+	provoked its discovery.  Thank you Fabrice!
+	
 2006-05-16  Stephen J. Turnbull  <stephen@xemacs.org>
 
 	* XEmacs 21.5.27 "fiddleheads" is released.

--- a/src/doc.c	Sat May 20 21:51:10 2006 +0000
+++ b/src/doc.c	Sun May 21 18:35:31 2006 +0000
@@ -49,7 +49,7 @@
 {
   Ibyte buf[DOC_MAX_FILENAME_LENGTH+1];
   Ibyte *buffer = buf;
-  int buffer_size = sizeof (buf), space_left;
+  int buffer_size = sizeof (buf) - 1, space_left;
   Ibyte *from, *to;
   REGISTER Ibyte *p = buffer;
   Lisp_Object return_me;
@@ -59,8 +59,8 @@
 
   GCPRO2 (fdstream, instream);
 
-  position = doc_pos > DOC_MAX_FILENAME_LENGTH  ? 
-    doc_pos - DOC_MAX_FILENAME_LENGTH : 0; 
+  position = doc_pos > buffer_size  ? 
+    doc_pos - buffer_size : 0; 
 
   if (0 > lseek (fd, position, 0))
     {
@@ -168,7 +168,7 @@
 {
   Ibyte buf[512 * 32 + 1];
   Ibyte *buffer = buf;
-  int buffer_size = sizeof (buf);
+  int buffer_size = sizeof (buf) - 1;
   Ibyte *from, *to;
   REGISTER Ibyte *p = buffer;
   Lisp_Object return_me;
@@ -215,13 +215,15 @@
       if (space_left == 0)
 	{
           Ibyte *old_buffer = buffer;
+	  buffer_size *= 2;
+
 	  if (buffer == buf)
 	    {
-	      buffer = xnew_ibytes (buffer_size *= 2);
+	      buffer = xnew_ibytes (buffer_size + 1);
 	      memcpy (buffer, old_buffer, p - old_buffer);
 	    }
 	  else
-            XREALLOC_ARRAY (buffer, Ibyte, buffer_size *= 2);
+            XREALLOC_ARRAY (buffer, Ibyte, buffer_size + 1);
           p += buffer - old_buffer;
 	  space_left = buffer_size - (p - buffer);
 	}