diff -up qt-x11-opensource-src-4.5.2/src/3rdparty/webkit/WebCore/html/HTMLTokenizer.cpp.orig qt-x11-opensource-src-4.5.2/src/3rdparty/webkit/WebCore/html/HTMLTokenizer.cpp
--- qt-x11-opensource-src-4.5.2/src/3rdparty/webkit/WebCore/html/HTMLTokenizer.cpp.orig	2009-08-18 12:28:26.000000000 +0200
+++ qt-x11-opensource-src-4.5.2/src/3rdparty/webkit/WebCore/html/HTMLTokenizer.cpp	2009-08-18 12:33:43.000000000 +0200
@@ -867,7 +867,9 @@ HTMLTokenizer::State HTMLTokenizer::pars
                     }
                 } else {
                     // FIXME: We should eventually colorize entities by sending them as a special token.
-                    checkBuffer(11);
+                    // 12 bytes required: up to 10 bytes in m_cBuffer plus the
+                    // leading '&' and trailing ';'
+                    checkBuffer(12);
                     *dest++ = '&';
                     for (unsigned i = 0; i < cBufferPos; i++)
                         dest[i] = m_cBuffer[i];
@@ -878,7 +880,9 @@ HTMLTokenizer::State HTMLTokenizer::pars
                     }
                 }
             } else {
-                checkBuffer(10);
+                // 11 bytes required: up to 10 bytes in m_cBuffer plus the
+                // leading '&'
+                checkBuffer(11);
                 // ignore the sequence, add it to the buffer as plaintext
                 *dest++ = '&';
                 for (unsigned i = 0; i < cBufferPos; i++)