--- rpm-5.4.9/rpmio/mire.c.str_nul~	2012-04-16 05:21:22.000000000 +0200
+++ rpm-5.4.9/rpmio/mire.c	2012-05-15 03:20:14.361970779 +0200
@@ -415,11 +415,10 @@ int mireRegexec(miRE mire, const char *
 	    break;
 	/* XXX rpmgrep: ensure that the string is NUL terminated. */
 	if (vallen > 0) {
-	    if (val[vallen] != '\0') {
-		char * t = strncpy((char *)alloca(vallen+1), val, vallen);
-		t[vallen] = '\0';
-		val = t;
-	    }
+	    /* if (val[vallen] != '\0') might go outside of allocated memory */
+	    char * t = strncpy(alloca(vallen+1), val, vallen);
+	    t[vallen] = '\0';
+	    val = t;
 	} else
 	if (vallen == 0)
 	    vallen = strlen(val);
@@ -466,6 +465,13 @@ int mireRegexec(miRE mire, const char *
     case RPMMIRE_GLOB:
 	if (mire->pattern == NULL)
 	    break;
+	/* XXX rpmgrep: ensure that the string is NUL terminated. */
+	if (vallen > 0) {
+	    /* if (val[vallen] != '\0') might go outside of allocated memory */
+	    char * t = strncpy(alloca(vallen+1), val, vallen);
+	    t[vallen] = '\0';
+	    val = t;
+	}
 	rc = fnmatch(mire->pattern, val, mire->fnflags);
 	switch (rc) {
 	case 0:			rc = 0;	/*@innerbreak@*/ break;