From 1047496722a58ef5b736dae64d32adeb58c5055c Mon Sep 17 00:00:00 2001 From: Eli Zaretskii Date: Mon, 24 Oct 2016 16:59:34 +0300 Subject: [PATCH] Another fix for using pointer to buffer text * src/search.c (Freplace_match): Move the call to BYTE_POS_ADDR after the call to xpalloc, to avoid the danger of buffer text relocation after its address was taken. (Bug#24358) --- src/search.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/search.c b/src/search.c index 5c04916f92e..f8acd40fa08 100644 --- a/src/search.c +++ b/src/search.c @@ -2640,6 +2640,7 @@ since only regular expressions have distinguished subexpressions. */) const unsigned char *add_stuff = NULL; ptrdiff_t add_len = 0; ptrdiff_t idx = -1; + ptrdiff_t begbyte; if (str_multibyte) { @@ -2702,11 +2703,10 @@ since only regular expressions have distinguished subexpressions. */) set up ADD_STUFF and ADD_LEN to point to it. */ if (idx >= 0) { - ptrdiff_t begbyte = CHAR_TO_BYTE (search_regs.start[idx]); + begbyte = CHAR_TO_BYTE (search_regs.start[idx]); add_len = CHAR_TO_BYTE (search_regs.end[idx]) - begbyte; if (search_regs.start[idx] < GPT && GPT < search_regs.end[idx]) move_gap_both (search_regs.start[idx], begbyte); - add_stuff = BYTE_POS_ADDR (begbyte); } /* Now the stuff we want to add to SUBSTED @@ -2719,6 +2719,11 @@ since only regular expressions have distinguished subexpressions. */) add_len - (substed_alloc_size - substed_len), STRING_BYTES_BOUND, 1); + /* We compute this after the call to xpalloc, because that + could cause buffer text be relocated when ralloc.c is used. */ + if (idx >= 0) + add_stuff = BYTE_POS_ADDR (begbyte); + /* Now add to the end of SUBSTED. */ if (add_stuff) { -- 2.39.5