From 8bc53d00e3a4ffff5220adf51b269468fce8c931 Mon Sep 17 00:00:00 2001
From: Eli Zaretskii <eliz@gnu.org>
Date: Sun, 1 Apr 2012 19:55:30 +0300
Subject: [PATCH] Fix unsafe use of alloca reported in bug #11138.

 src/w32menu.c (simple_dialog_show, add_menu_item): Use SAFE_ALLOCA
 instead of alloca.
---
 src/ChangeLog |  5 +++++
 src/w32menu.c | 13 +++++++++----
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index ee54c48cd94..ea80129ff16 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2012-04-01  Eli Zaretskii  <eliz@gnu.org>
+
+	* w32menu.c (simple_dialog_show, add_menu_item): Use SAFE_ALLOCA
+	instead of alloca.  (Bug#11138)
+
 2012-04-01  Andreas Schwab  <schwab@linux-m68k.org>
 
 	* w32menu.c (is_simple_dialog): Properly check lisp types.
diff --git a/src/w32menu.c b/src/w32menu.c
index b25edf0f269..9091cb81627 100644
--- a/src/w32menu.c
+++ b/src/w32menu.c
@@ -1231,6 +1231,7 @@ simple_dialog_show (FRAME_PTR f, Lisp_Object contents, Lisp_Object header)
   if (unicode_message_box)
     {
       WCHAR *text, *title;
+      USE_SAFE_ALLOCA;
 
       if (STRINGP (temp))
 	{
@@ -1240,7 +1241,7 @@ simple_dialog_show (FRAME_PTR f, Lisp_Object contents, Lisp_Object header)
 	     one utf16 word, so we cannot simply use the character
 	     length of temp.  */
 	  int utf8_len = strlen (utf8_text);
-	  text = alloca ((utf8_len + 1) * sizeof (WCHAR));
+	  SAFE_ALLOCA (text, WCHAR *, (utf8_len + 1) * sizeof (WCHAR));
 	  utf8to16 (utf8_text, utf8_len, text);
 	}
       else
@@ -1260,6 +1261,7 @@ simple_dialog_show (FRAME_PTR f, Lisp_Object contents, Lisp_Object header)
 	}
 
       answer = unicode_message_box (FRAME_W32_WINDOW (f), text, title, type);
+      SAFE_FREE ();
     }
   else
     {
@@ -1366,6 +1368,7 @@ add_menu_item (HMENU menu, widget_value *wv, HMENU item)
   char *out_string, *p, *q;
   int return_value;
   size_t nlen, orig_len;
+  USE_SAFE_ALLOCA;
 
   if (menu_separator_name_p (wv->name))
     {
@@ -1381,7 +1384,8 @@ add_menu_item (HMENU menu, widget_value *wv, HMENU item)
 
       if (wv->key != NULL)
 	{
-	  out_string = alloca (strlen (wv->name) + strlen (wv->key) + 2);
+	  SAFE_ALLOCA (out_string, char *,
+		       strlen (wv->name) + strlen (wv->key) + 2);
 	  strcpy (out_string, wv->name);
 	  strcat (out_string, "\t");
 	  strcat (out_string, wv->key);
@@ -1415,7 +1419,7 @@ add_menu_item (HMENU menu, widget_value *wv, HMENU item)
       if (nlen > orig_len)
         {
           p = out_string;
-          out_string = alloca (nlen + 1);
+          SAFE_ALLOCA (out_string, char *, nlen + 1);
           q = out_string;
           while (*p)
             {
@@ -1475,7 +1479,7 @@ add_menu_item (HMENU menu, widget_value *wv, HMENU item)
       if (fuFlags & MF_OWNERDRAW)
 	utf16_string = local_alloc ((utf8_len + 1) * sizeof (WCHAR));
       else
-	utf16_string = alloca ((utf8_len + 1) * sizeof (WCHAR));
+	SAFE_ALLOCA (utf16_string, WCHAR *, (utf8_len + 1) * sizeof (WCHAR));
 
       utf8to16 (out_string, utf8_len, utf16_string);
       return_value = unicode_append_menu (menu, fuFlags,
@@ -1544,6 +1548,7 @@ add_menu_item (HMENU menu, widget_value *wv, HMENU item)
 			      FALSE, &info);
 	}
     }
+  SAFE_FREE ();
   return return_value;
 }
 
-- 
2.39.5