diff --git a/ChangeLog b/ChangeLog
index 560f196a..2d698b25 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+Tue Dec 20 11:43:06 CET 2005 Kasimier Buchcik <libxml2-cvs@cazic.ne>
+
+	* xmlschemas.c xmlstring.c: Fixed a segfault during
+	  text concatenation when validating a node tree:
+	  xmlStrncat was called with a @len of -1; but unlike
+	  xmlStrncatNew, it does not calculate the length
+	  automatically in such a case (reported by Judy Hay
+	  on the mailing list).
+	  Updated the descriptions of the involved string
+	  functions to note this.
+
 Thu Dec 15 12:11:07 CET 2005 Daniel Veillard <daniel@veillard.com>
 
 	* nanohttp.c: applied patch from Gary Coady to accept gzipped
diff --git a/xmlschemas.c b/xmlschemas.c
index f7f7567c..95189991 100644
--- a/xmlschemas.c
+++ b/xmlschemas.c
@@ -26336,7 +26336,9 @@ xmlSchemaVPushText(xmlSchemaValidCtxtPtr vctxt,
 	    default:
 		break;
 	}
-    } else {	
+    } else {
+	if (len < 0)
+	    len = xmlStrlen(value);
 	/*
 	* Concat the value.
 	*/	
diff --git a/xmlstring.c b/xmlstring.c
index 2ef62fba..4994a198 100644
--- a/xmlstring.c
+++ b/xmlstring.c
@@ -437,7 +437,8 @@ xmlStrlen(const xmlChar *str) {
  * @len:  the length of @add
  *
  * a strncat for array of xmlChar's, it will extend @cur with the len
- * first bytes of @add.
+ * first bytes of @add. Note that if @len < 0 then this is an API error
+ * and NULL will be returned.
  *
  * Returns a new xmlChar *, the original @cur is reallocated if needed
  * and should not be freed
@@ -450,6 +451,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) {
 
     if ((add == NULL) || (len == 0))
         return(cur);
+    if (len < 0)
+	return(NULL);
     if (cur == NULL)
         return(xmlStrndup(add, len));
 
@@ -468,10 +471,11 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) {
  * xmlStrncatNew:
  * @str1:  first xmlChar string
  * @str2:  second xmlChar string
- * @len:  the len of @str2
+ * @len:  the len of @str2 or < 0
  *
  * same as xmlStrncat, but creates a new string.  The original
- * two strings are not freed.
+ * two strings are not freed. If @len is < 0 then the length
+ * will be calculated automatically.
  *
  * Returns a new xmlChar * or NULL
  */