From: Eli Zaretskii <eliz@gnu.org>
Date: Mon, 24 Oct 2016 13:59:34 +0000 (+0300)
Subject: Another fix for using pointer to buffer text
X-Git-Tag: emacs-25.1.90~82
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=1047496722a58ef5b736dae64d32adeb58c5055c;p=emacs.git

Another fix for using pointer to buffer text

* src/search.c (Freplace_match): Move the call to BYTE_POS_ADDR
after the call to xpalloc, to avoid the danger of buffer text
relocation after its address was taken.  (Bug#24358)
---

diff --git a/src/search.c b/src/search.c
index 5c04916f92e..f8acd40fa08 100644
--- a/src/search.c
+++ b/src/search.c
@@ -2640,6 +2640,7 @@ since only regular expressions have distinguished subexpressions.  */)
 	  const unsigned char *add_stuff = NULL;
 	  ptrdiff_t add_len = 0;
 	  ptrdiff_t idx = -1;
+	  ptrdiff_t begbyte;
 
 	  if (str_multibyte)
 	    {
@@ -2702,11 +2703,10 @@ since only regular expressions have distinguished subexpressions.  */)
 	     set up ADD_STUFF and ADD_LEN to point to it.  */
 	  if (idx >= 0)
 	    {
-	      ptrdiff_t begbyte = CHAR_TO_BYTE (search_regs.start[idx]);
+	      begbyte = CHAR_TO_BYTE (search_regs.start[idx]);
 	      add_len = CHAR_TO_BYTE (search_regs.end[idx]) - begbyte;
 	      if (search_regs.start[idx] < GPT && GPT < search_regs.end[idx])
 		move_gap_both (search_regs.start[idx], begbyte);
-	      add_stuff = BYTE_POS_ADDR (begbyte);
 	    }
 
 	  /* Now the stuff we want to add to SUBSTED
@@ -2719,6 +2719,11 @@ since only regular expressions have distinguished subexpressions.  */)
 		       add_len - (substed_alloc_size - substed_len),
 		       STRING_BYTES_BOUND, 1);
 
+	  /* We compute this after the call to xpalloc, because that
+	     could cause buffer text be relocated when ralloc.c is used.  */
+	  if (idx >= 0)
+	    add_stuff = BYTE_POS_ADDR (begbyte);
+
 	  /* Now add to the end of SUBSTED.  */
 	  if (add_stuff)
 	    {