From: Eli Zaretskii <eliz@gnu.org>
Date: Fri, 14 Oct 2016 19:52:46 +0000 (+0300)
Subject: Avoid crashes due to objects read with the #n=object form
X-Git-Tag: emacs-25.1.90~123
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=10835b18cdfd93442e6fae093ffd130587006fcf;p=emacs.git

Avoid crashes due to objects read with the #n=object form

* src/lread.c (read1): Use Fcons for 'placeholder', not AUTO_CONS,
because elements of the list in 'read_objects' cannot be allocated
off the stack.  (Bug#24640)
---

diff --git a/src/lread.c b/src/lread.c
index ef58b20070d..8a368806e15 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -2845,7 +2845,18 @@ read1 (Lisp_Object readcharfun, int *pch, bool first_in_list)
 		  if (c == '=')
 		    {
 		      /* Make a placeholder for #n# to use temporarily.  */
-		      AUTO_CONS (placeholder, Qnil, Qnil);
+		      /* Note: We used to use AUTO_CONS to allocate
+			 placeholder, but that is a bad idea, since it
+			 will place a stack-allocated cons cell into
+			 the list in read_objects, which is a
+			 staticpro'd global variable, and thus each of
+			 its elements is marked during each GC.  A
+			 stack-allocated object will become garbled
+			 when its stack slot goes out of scope, and
+			 some other function reuses it for entirely
+			 different purposes, which will cause crashes
+			 in GC.  */
+		      Lisp_Object placeholder = Fcons (Qnil, Qnil);
 		      Lisp_Object cell = Fcons (make_number (n), placeholder);
 		      read_objects = Fcons (cell, read_objects);