Fix undefined behavior when fetching glyphs from the display vector.

You can trigger this rather obscure bug by enabling selective display
if the second glyph in its display vector has an invalid face.  For
example, evaluate

(set-display-table-slot standard-display-table
                        'selective-display [?A (?B . invalid)])

and then enable selective display.

* src/xdisp.c (next_element_from_display_vector): Check whether next
glyph code is valid before accessing it.

diff --git a/src/xdisp.c b/src/xdisp.c
index ac706d084147eac5fe150b151fc6f9423ed19c91..71a5f1c34f0e530da01b91ed59d54d4aab57c616 100644 (file)
--- a/src/xdisp.c
+++ b/src/xdisp.c
@@ -8221,10 +8221,10 @@ next_element_from_display_vector (struct it *it)
            next_face_id = it->dpvec_face_id;
          else
            {
-             int lface_id =
-               GLYPH_CODE_FACE (it->dpvec[it->current.dpvec_index + 1]);
+              Lisp_Object gc = it->dpvec[it->current.dpvec_index + 1];
+              int lface_id = GLYPH_CODE_P (gc) ? GLYPH_CODE_FACE (gc) : 0;
 
-             if (lface_id > 0)
+              if (lface_id > 0)
                next_face_id = merge_faces (it->w, Qt, lface_id,
                                            it->saved_face_id);
            }