diff --git a/CHANGES b/CHANGES
index dd7cb9a8f3..37c646de14 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4780.	[bug]		Fix out of bounds access in DHCID totext() method.
+			[RT #46001]
+
 4729.	[bug]		Don't use memset() to wipe memory, as it may be
 			removed by compiler optimizations when the
 			memset() occurs on automatic stack allocation
diff --git a/lib/dns/rdata/in_1/dhcid_49.c b/lib/dns/rdata/in_1/dhcid_49.c
index 261e41ea8a..526646111c 100644
--- a/lib/dns/rdata/in_1/dhcid_49.c
+++ b/lib/dns/rdata/in_1/dhcid_49.c
@@ -40,7 +40,7 @@ fromtext_in_dhcid(ARGS_FROMTEXT) {
 
 static inline isc_result_t
 totext_in_dhcid(ARGS_TOTEXT) {
-	isc_region_t sr;
+	isc_region_t sr, sr2;
 	char buf[sizeof(" ; 64000 255 64000")];
 	size_t n;
 
@@ -49,6 +49,7 @@ totext_in_dhcid(ARGS_TOTEXT) {
 	REQUIRE(rdata->length != 0);
 
 	dns_rdata_toregion(rdata, &sr);
+	sr2 = sr;
 
 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
 		RETERR(str_totext("( " /*)*/, target));
@@ -61,8 +62,8 @@ totext_in_dhcid(ARGS_TOTEXT) {
 		RETERR(str_totext(/* ( */ " )", target));
 		if (rdata->length > 2) {
 			n = snprintf(buf, sizeof(buf), " ; %u %u %u",
-				     sr.base[0] * 256 + sr.base[1],
-				     sr.base[2], rdata->length - 3);
+				     sr2.base[0] * 256 + sr2.base[1],
+				     sr2.base[2], rdata->length - 3);
 			INSIST(n < sizeof(buf));
 			RETERR(str_totext(buf, target));
 		}