From f458e7509969ef197ed25cce52dc7a67d85d9e6f Mon Sep 17 00:00:00 2001
From: "igor%mir2.org" <igor%mir2.org>
Date: Mon, 27 Feb 2006 17:32:22 +0000
Subject: [PATCH] Bug 328556: Proper accounting for growth in array_join_sub
 when reallocating chars array. r=mrbkap

---
 js/src/jsarray.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/js/src/jsarray.c b/js/src/jsarray.c
index f6b376ced5e..cf1bafcd686 100644
--- a/js/src/jsarray.c
+++ b/js/src/jsarray.c
@@ -426,8 +426,8 @@ array_join_sub(JSContext *cx, JSObject *obj, enum ArrayToStringOp op,
         } else {
             MAKE_SHARP(he);
             nchars = js_strlen(chars);
-            chars = (jschar *)
-                realloc((ochars = chars), nchars * sizeof(jschar) + growth);
+            growth += nchars * sizeof(jschar);
+            chars = (jschar *)realloc((ochars = chars), growth);
             if (!chars) {
                 free(ochars);
                 goto done;