From 88c6db91961945e4ede53d66216c2484f0c5342b Mon Sep 17 00:00:00 2001
From: Eli Zaretskii <eliz@gnu.org>
Date: Thu, 5 Mar 2020 17:57:21 +0200
Subject: [PATCH] Avoid crashes when a fontset has strange entries

* src/fontset.c (reorder_font_vector): Skip nil entries in the
loop that assigns scores to rfont_def's.
(fontset_compare_rfontdef): Cope with nil.  This has the effect of
moving any nil entries to the end of the font-group, and avoids
crashing if an element other than the last in the font-group is
nil.  (Bug#39892)
---
 src/fontset.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/fontset.c b/src/fontset.c
index bca9452418e..c2bb8b21f26 100644
--- a/src/fontset.c
+++ b/src/fontset.c
@@ -367,8 +367,14 @@ fontset_add (Lisp_Object fontset, Lisp_Object range, Lisp_Object elt, Lisp_Objec
 static int
 fontset_compare_rfontdef (const void *val1, const void *val2)
 {
-  return (RFONT_DEF_SCORE (*(Lisp_Object *) val1)
-	  - RFONT_DEF_SCORE (*(Lisp_Object *) val2));
+  Lisp_Object v1 = *(Lisp_Object *) val1, v2 = *(Lisp_Object *) val2;
+  if (NILP (v1) && NILP (v2))
+    return 0;
+  else if (NILP (v1))
+    return INT_MIN;
+  else if (NILP (v2))
+    return INT_MAX;
+  return (RFONT_DEF_SCORE (v1) - RFONT_DEF_SCORE (v2));
 }
 
 /* Update a cons cell which has this form:
@@ -400,6 +406,8 @@ reorder_font_vector (Lisp_Object font_group, struct font *font)
   for (i = 0; i < size; i++)
     {
       Lisp_Object rfont_def = AREF (vec, i);
+      if (NILP (rfont_def))
+	continue;
       Lisp_Object font_def = RFONT_DEF_FONT_DEF (rfont_def);
       Lisp_Object font_spec = FONT_DEF_SPEC (font_def);
       int score = RFONT_DEF_SCORE (rfont_def) & 0xFF;
-- 
2.39.5