From f20a2cd9dcd9f6a62496dc2df7fe5dfc20124bd3 Mon Sep 17 00:00:00 2001 From: Eli Zaretskii Date: Tue, 31 Mar 2015 17:18:17 +0300 Subject: [PATCH] Avoid crashing with key-chord (Bug#20223) src/keyboard.c (read_key_sequence): Don't let this_single_command_key_start become negative. --- src/ChangeLog | 5 +++++ src/keyboard.c | 12 ++++++++++++ 2 files changed, 17 insertions(+) diff --git a/src/ChangeLog b/src/ChangeLog index f0ed9e74745..7c7892a3fe8 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2015-03-31 Eli Zaretskii + + * keyboard.c (read_key_sequence): Don't let + this_single_command_key_start become negative. (Bug#20223) + 2015-03-29 Jan Djärv * gtkutil.c (xg_display_open): diff --git a/src/keyboard.c b/src/keyboard.c index bf65df1584c..2d047da5511 100644 --- a/src/keyboard.c +++ b/src/keyboard.c @@ -9591,6 +9591,18 @@ read_key_sequence (Lisp_Object *keybuf, int bufsize, Lisp_Object prompt, /* Record what part of this_command_keys is the current key sequence. */ this_single_command_key_start = this_command_key_count - t; + /* When 'input-method-function' called above causes events to be + put on 'unread-post-input-method-events', and as result + 'reread' is set to 'true', the value of 't' can become larger + than 'this_command_key_count', because 'add_command_key' is + not called to update 'this_command_key_count'. If this + happens, 'this_single_command_key_start' will become negative + above, and any call to 'this-single-command-keys' will return + a garbled vector. See bug #20223 for one such situation. + Here we force 'this_single_command_key_start' to never become + negative, to avoid that. */ + if (this_single_command_key_start < 0) + this_single_command_key_start = 0; /* Look for this sequence in input-decode-map. Scan from indec.end until we find a bound suffix. */ -- 2.39.5