Avoid crashes when buffer modification hooks clobber match data

* src/search.c (Freplace_match): Error out if buffer modification
hooks triggered by buffer changes in replace_range, upcase-region,
and upcase-initials-region clobber the match data needed to be
adjusted for the replacement.  (Bug#23869)

diff --git a/src/search.c b/src/search.c
index f39df6784c3a4c7d90149dd0dfe5a119812a18f8..bcdd8f16d0b2a122ec0a5f066048596084af1125 100644 (file)
--- a/src/search.c
+++ b/src/search.c
@@ -2684,6 +2684,14 @@ since only regular expressions have distinguished subexpressions.  */)
       xfree (substed);
     }
 
+  /* The functions below modify the buffer, so they could trigger
+     various modification hooks (see signal_before_change and
+     signal_after_change), which might clobber the match data we need
+     to adjust after the replacement.  If that happens, we error out.  */
+  ptrdiff_t sub_start = search_regs.start[sub];
+  ptrdiff_t sub_end = search_regs.end[sub];
+  unsigned  num_regs = search_regs.num_regs;
+
   /* Replace the old text with the new in the cleanest possible way.  */
   replace_range (search_regs.start[sub], search_regs.end[sub],
                 newtext, 1, 0, 1);
@@ -2696,6 +2704,11 @@ since only regular expressions have distinguished subexpressions.  */)
     Fupcase_initials_region (make_number (search_regs.start[sub]),
                             make_number (newpoint));
 
+  if (search_regs.start[sub] != sub_start
+      || search_regs.end[sub] != sub_end
+      || search_regs.num_regs != num_regs)
+    error ("Match data clobbered by buffer modification hooks");
+
   /* Adjust search data for this change.  */
   {
     ptrdiff_t oldend = search_regs.end[sub];