From 6c6d070dab43d96ba5724d3e5007025c56ff290e Mon Sep 17 00:00:00 2001
From: Josh Matthews <josh@joshmatthews.net>
Date: Mon, 8 Apr 2013 10:19:25 -0400
Subject: [PATCH] Fix write past buffer length for proxy toString operation.

---
 src/servo/dom/bindings/proxyhandler.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/servo/dom/bindings/proxyhandler.rs b/src/servo/dom/bindings/proxyhandler.rs
index c77e5ec952e..f073f54d8c1 100644
--- a/src/servo/dom/bindings/proxyhandler.rs
+++ b/src/servo/dom/bindings/proxyhandler.rs
@@ -62,7 +62,7 @@ pub fn _obj_toString(cx: *JSContext, className: *libc::c_char) -> *JSString {
   unsafe {
     let name = str::raw::from_buf(className as *u8);
     let nchars = "[object ]".len() + name.len();
-    let chars: *mut jschar = cast::transmute(JS_malloc(cx, nchars as u64 * (size_of::<jschar>() as u64)));
+    let chars: *mut jschar = cast::transmute(JS_malloc(cx, (nchars + 1) as u64 * (size_of::<jschar>() as u64)));
     if chars.is_null() {
         return ptr::null();
     }