http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54392
--- Comment #9 from Paolo Carlini <paolo.carlini at oracle dot com> 2012-08-29 15:28:45 UTC --- Ok, I see. The problem is that when the source is inside the destination, we may be copying one more char, the final '\0', than the current size and overflow the allocated memory. We need reallocation in this case too. But we can't just follow the path of _M_replace_safe, because it deallocates the source! This case is harder to fix than the empty rep special case.
