From 3a9d6296b35e5317c497674d5725eb52699bd3b8 Mon Sep 17 00:00:00 2001 From: Eli Zaretskii Date: Mon, 4 Jul 2016 18:34:40 +0300 Subject: [PATCH] Avoid crashes when buffer modification hooks clobber match data * src/search.c (Freplace_match): Error out if buffer modification hooks triggered by buffer changes in replace_range, upcase-region, and upcase-initials-region clobber the match data needed to be adjusted for the replacement. (Bug#23869) --- src/search.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/search.c b/src/search.c index f39df6784c3..bcdd8f16d0b 100644 --- a/src/search.c +++ b/src/search.c @@ -2684,6 +2684,14 @@ since only regular expressions have distinguished subexpressions. */) xfree (substed); } + /* The functions below modify the buffer, so they could trigger + various modification hooks (see signal_before_change and + signal_after_change), which might clobber the match data we need + to adjust after the replacement. If that happens, we error out. */ + ptrdiff_t sub_start = search_regs.start[sub]; + ptrdiff_t sub_end = search_regs.end[sub]; + unsigned num_regs = search_regs.num_regs; + /* Replace the old text with the new in the cleanest possible way. */ replace_range (search_regs.start[sub], search_regs.end[sub], newtext, 1, 0, 1); @@ -2696,6 +2704,11 @@ since only regular expressions have distinguished subexpressions. */) Fupcase_initials_region (make_number (search_regs.start[sub]), make_number (newpoint)); + if (search_regs.start[sub] != sub_start + || search_regs.end[sub] != sub_end + || search_regs.num_regs != num_regs) + error ("Match data clobbered by buffer modification hooks"); + /* Adjust search data for this change. */ { ptrdiff_t oldend = search_regs.end[sub]; -- 2.39.5