Another fix for using pointer to buffer text

* src/search.c (Freplace_match): Move the call to BYTE_POS_ADDR
after the call to xpalloc, to avoid the danger of buffer text
relocation after its address was taken.  (Bug#24358)

diff --git a/src/search.c b/src/search.c
index 5c04916f92e3cee1786719061ab3614a626f23bf..f8acd40fa0812c2643d1ef031966da870c66d028 100644 (file)
--- a/src/search.c
+++ b/src/search.c
@@ -2640,6 +2640,7 @@ since only regular expressions have distinguished subexpressions.  */)
          const unsigned char *add_stuff = NULL;
          ptrdiff_t add_len = 0;
          ptrdiff_t idx = -1;
+         ptrdiff_t begbyte;
 
          if (str_multibyte)
            {
@@ -2702,11 +2703,10 @@ since only regular expressions have distinguished subexpressions.  */)
             set up ADD_STUFF and ADD_LEN to point to it.  */
          if (idx >= 0)
            {
-             ptrdiff_t begbyte = CHAR_TO_BYTE (search_regs.start[idx]);
+             begbyte = CHAR_TO_BYTE (search_regs.start[idx]);
              add_len = CHAR_TO_BYTE (search_regs.end[idx]) - begbyte;
              if (search_regs.start[idx] < GPT && GPT < search_regs.end[idx])
                move_gap_both (search_regs.start[idx], begbyte);
-             add_stuff = BYTE_POS_ADDR (begbyte);
            }
 
          /* Now the stuff we want to add to SUBSTED
@@ -2719,6 +2719,11 @@ since only regular expressions have distinguished subexpressions.  */)
                       add_len - (substed_alloc_size - substed_len),
                       STRING_BYTES_BOUND, 1);
 
+         /* We compute this after the call to xpalloc, because that
+            could cause buffer text be relocated when ralloc.c is used.  */
+         if (idx >= 0)
+           add_stuff = BYTE_POS_ADDR (begbyte);
+
          /* Now add to the end of SUBSTED.  */
          if (add_stuff)
            {