From cec2ef73a6ac0062f428d219afd139a7e42c4734 Mon Sep 17 00:00:00 2001
From: Po Lu <luangruo@yahoo.com>
Date: Mon, 23 May 2022 20:31:18 +0800
Subject: [PATCH] Fix stack overflows with large popup menus

* src/xmenu.c (x_menu_show): Allocate various stacks with
SAFE_ALLOCA.
---
 src/xmenu.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/xmenu.c b/src/xmenu.c
index aaf53569a72..e9601981edd 100644
--- a/src/xmenu.c
+++ b/src/xmenu.c
@@ -1894,13 +1894,19 @@ x_menu_show (struct frame *f, int x, int y, int menuflags,
 {
   int i;
   widget_value *wv, *save_wv = 0, *first_wv = 0, *prev_wv = 0;
-  widget_value **submenu_stack
-    = alloca (menu_items_used * sizeof *submenu_stack);
-  Lisp_Object *subprefix_stack
-    = alloca (menu_items_used * sizeof *subprefix_stack);
+  widget_value **submenu_stack;
+  Lisp_Object *subprefix_stack;
   int submenu_depth = 0;
+  specpdl_ref specpdl_count;
 
-  specpdl_ref specpdl_count = SPECPDL_INDEX ();
+  USE_SAFE_ALLOCA;
+
+  submenu_stack = SAFE_ALLOCA (menu_items_used
+			       * sizeof *submenu_stack);
+  subprefix_stack = SAFE_ALLOCA (menu_items_used
+				 * sizeof *subprefix_stack);
+
+  specpdl_count = SPECPDL_INDEX ();
 
   eassert (FRAME_X_P (f));
 
@@ -1909,6 +1915,7 @@ x_menu_show (struct frame *f, int x, int y, int menuflags,
   if (menu_items_used <= MENU_ITEMS_PANE_LENGTH)
     {
       *error_name = "Empty menu";
+      SAFE_FREE ();
       return Qnil;
     }
 
@@ -2141,6 +2148,8 @@ x_menu_show (struct frame *f, int x, int y, int menuflags,
 			  entry = Fcons (subprefix_stack[j], entry);
 		    }
 		  unblock_input ();
+
+		  SAFE_FREE ();
 		  return entry;
 		}
 	      i += MENU_ITEMS_ITEM_LENGTH;
@@ -2155,6 +2164,8 @@ x_menu_show (struct frame *f, int x, int y, int menuflags,
     }
 
   unblock_input ();
+
+  SAFE_FREE ();
   return Qnil;
 }
 
-- 
2.39.2