Index: TODO
===================================================================
diff -u -r6a55e4e48e5431b7b76916a8dbfb550b4cdc6edb -rcf9bbe07158ccf6d77685f42eb0dce5117a225cf
--- TODO	(.../TODO)	(revision 6a55e4e48e5431b7b76916a8dbfb550b4cdc6edb)
+++ TODO	(.../TODO)	(revision cf9bbe07158ccf6d77685f42eb0dce5117a225cf)
@@ -5737,6 +5737,7 @@
   a method named "namespace", prefer nsf::directdispatch, etc.)
 - extended regression test
 
+- fix potentail memory corruption bug in NsfDStringVPrintf()
 
 ========================================================================
 TODO:
Index: generic/nsfError.c
===================================================================
diff -u -r16a02881bff0a0d626d0045dfd96660338d0c314 -rcf9bbe07158ccf6d77685f42eb0dce5117a225cf
--- generic/nsfError.c	(.../nsfError.c)	(revision 16a02881bff0a0d626d0045dfd96660338d0c314)
+++ generic/nsfError.c	(.../nsfError.c)	(revision cf9bbe07158ccf6d77685f42eb0dce5117a225cf)
@@ -74,6 +74,7 @@
   /*
    * Work on a copy of the va_list so that the caller's copy is untouched
    */
+  avail -= offset;
   va_copy(vargsCopy, vargs);
   result = vsnprintf(dsPtr->string + offset, avail, fmt, vargsCopy);
   va_end(vargsCopy);
@@ -105,24 +106,27 @@
      * we have just to adjust the length.
      */
     Tcl_DStringSetLength(dsPtr, offset + result);
+
   } else {
     int addedStringLength;
     /*
      * vsnprintf() has already not copied all content,
      * we have to determine the required length (MS),
      * adjust the DString size and copy again.
      */
+
 #if defined(_MSC_VER)
     va_copy(vargsCopy, vargs);
     addedStringLength = _vscprintf(fmt, vargsCopy);
     va_end(vargsCopy);
 #else
     addedStringLength = result;
 #endif
+
     Tcl_DStringSetLength(dsPtr, offset + addedStringLength);
 
     va_copy(vargsCopy, vargs);
-    result = vsnprintf(dsPtr->string + offset, dsPtr->spaceAvl, fmt, vargsCopy);
+    result = vsnprintf(dsPtr->string + offset, dsPtr->spaceAvl - offset, fmt, vargsCopy);
     assert(result > -1);
     va_end(vargsCopy);
   }