From 59ac2d1316937bb013ef437885dcdc0225c71de9 Mon Sep 17 00:00:00 2001
From: Eli Zaretskii <eliz@gnu.org>
Date: Sat, 19 Jan 2013 22:04:33 +0200
Subject: [PATCH] Fix crashes with lots of overlays.

 src/editfns.c (get_pos_property): Use SAFE_ALLOCA_LISP, to avoid
 segfault when there are lots of overlays.
 src/buffer.c (sort_overlays): Use SAFE_NALLOCA, to avoid segfault
 when there are lots of overlays.  See
 http://lists.gnu.org/archive/html/emacs-devel/2013-01/msg00421.html
 for the details and a way to reproduce.
---
 src/ChangeLog | 10 ++++++++++
 src/buffer.c  |  7 ++++++-
 src/editfns.c |  5 ++++-
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index c66963738b..2564e57a82 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,13 @@
+2013-01-19  Eli Zaretskii  <eliz@gnu.org>
+
+	* editfns.c (get_pos_property): Use SAFE_ALLOCA_LISP, to avoid
+	segfault when there are lots of overlays.
+
+	* buffer.c (sort_overlays): Use SAFE_NALLOCA, to avoid segfault
+	when there are lots of overlays.  See
+	http://lists.gnu.org/archive/html/emacs-devel/2013-01/msg00421.html
+	for the details and a way to reproduce.
+
 2013-01-19  Paul Eggert  <eggert@cs.ucla.edu>
 
 	* fileio.c: Use O_APPEND to append.
diff --git a/src/buffer.c b/src/buffer.c
index 66581cb782..aa3fcf8c23 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -3151,7 +3151,10 @@ ptrdiff_t
 sort_overlays (Lisp_Object *overlay_vec, ptrdiff_t noverlays, struct window *w)
 {
   ptrdiff_t i, j;
-  struct sortvec *sortvec = alloca (noverlays * sizeof *sortvec);
+  USE_SAFE_ALLOCA;
+  struct sortvec *sortvec;
+
+  SAFE_NALLOCA (sortvec, 1, noverlays);
 
   /* Put the valid and relevant overlays into sortvec.  */
 
@@ -3197,6 +3200,8 @@ sort_overlays (Lisp_Object *overlay_vec, ptrdiff_t noverlays, struct window *w)
 
   for (i = 0; i < noverlays; i++)
     overlay_vec[i] = sortvec[i].overlay;
+
+  SAFE_FREE ();
   return (noverlays);
 }
 
diff --git a/src/editfns.c b/src/editfns.c
index 197950517b..020285cf4e 100644
--- a/src/editfns.c
+++ b/src/editfns.c
@@ -386,6 +386,7 @@ get_pos_property (Lisp_Object position, register Lisp_Object prop, Lisp_Object o
       ptrdiff_t noverlays;
       Lisp_Object *overlay_vec, tem;
       struct buffer *obuf = current_buffer;
+      USE_SAFE_ALLOCA;
 
       set_buffer_temp (XBUFFER (object));
 
@@ -398,7 +399,7 @@ get_pos_property (Lisp_Object position, register Lisp_Object prop, Lisp_Object o
 	 make enough space for all, and try again.  */
       if (noverlays > 40)
 	{
-	  overlay_vec = alloca (noverlays * sizeof *overlay_vec);
+	  SAFE_ALLOCA_LISP (overlay_vec, noverlays);
 	  noverlays = overlays_around (posn, overlay_vec, noverlays);
 	}
       noverlays = sort_overlays (overlay_vec, noverlays, NULL);
@@ -421,10 +422,12 @@ get_pos_property (Lisp_Object position, register Lisp_Object prop, Lisp_Object o
 		; /* The overlay will not cover a char inserted at point.  */
 	      else
 		{
+		  SAFE_FREE ();
 		  return tem;
 		}
 	    }
 	}
+      SAFE_FREE ();
 
       { /* Now check the text properties.  */
 	int stickiness = text_property_stickiness (prop, position, object);
-- 
2.20.1