From 10835b18cdfd93442e6fae093ffd130587006fcf Mon Sep 17 00:00:00 2001
From: Eli Zaretskii <eliz@gnu.org>
Date: Fri, 14 Oct 2016 22:52:46 +0300
Subject: [PATCH] Avoid crashes due to objects read with the #n=object form

* src/lread.c (read1): Use Fcons for 'placeholder', not AUTO_CONS,
because elements of the list in 'read_objects' cannot be allocated
off the stack.  (Bug#24640)
---
 src/lread.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/lread.c b/src/lread.c
index ef58b20070d..8a368806e15 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -2845,7 +2845,18 @@ read1 (Lisp_Object readcharfun, int *pch, bool first_in_list)
 		  if (c == '=')
 		    {
 		      /* Make a placeholder for #n# to use temporarily.  */
-		      AUTO_CONS (placeholder, Qnil, Qnil);
+		      /* Note: We used to use AUTO_CONS to allocate
+			 placeholder, but that is a bad idea, since it
+			 will place a stack-allocated cons cell into
+			 the list in read_objects, which is a
+			 staticpro'd global variable, and thus each of
+			 its elements is marked during each GC.  A
+			 stack-allocated object will become garbled
+			 when its stack slot goes out of scope, and
+			 some other function reuses it for entirely
+			 different purposes, which will cause crashes
+			 in GC.  */
+		      Lisp_Object placeholder = Fcons (Qnil, Qnil);
 		      Lisp_Object cell = Fcons (make_number (n), placeholder);
 		      read_objects = Fcons (cell, read_objects);
 
-- 
2.39.5