Fix bug #11288 with overrunning array limits.

 src/dispnew.c (swap_glyph_pointers, copy_row_except_pointers): Don't
 overrun array limits of glyph row's used[] array.

diff --git a/src/ChangeLog b/src/ChangeLog
index 18b6ce1..c232420 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2012-04-20  Eli Zaretskii  <eliz@gnu.org>
+
+       * dispnew.c (swap_glyph_pointers, copy_row_except_pointers): Don't
+       overrun array limits of glyph row's used[] array.  (Bug#11288)
+
 2012-04-20  Chong Yidong  <cyd@gnu.org>
 
        * process.c (wait_reading_process_output): If EIO occurs on a pty,

diff --git a/src/dispnew.c b/src/dispnew.c
index 02d6de5..b313852 100644 (file)
--- a/src/dispnew.c
+++ b/src/dispnew.c
@@ -1085,12 +1085,16 @@ swap_glyph_pointers (struct glyph_row *a, struct glyph_row *b)
   for (i = 0; i < LAST_AREA + 1; ++i)
     {
       struct glyph *temp = a->glyphs[i];
-      short used_tem = a->used[i];
 
       a->glyphs[i] = b->glyphs[i];
       b->glyphs[i] = temp;
-      a->used[i] = b->used[i];
-      b->used[i] = used_tem;
+      if (i < LAST_AREA)
+       {
+         short used_tem = a->used[i];
+
+         a->used[i] = b->used[i];
+         b->used[i] = used_tem;
+       }
     }
   a->hash = b->hash;
   b->hash = hash_tem;
@@ -1105,7 +1109,7 @@ static inline void
 copy_row_except_pointers (struct glyph_row *to, struct glyph_row *from)
 {
   struct glyph *pointers[1 + LAST_AREA];
-  short used[1 + LAST_AREA];
+  short used[LAST_AREA];
   unsigned hashval;
 
   /* Save glyph pointers of TO.  */