From 6635438f25bd0f83ba3d8b1a48c88d630313efbe Mon Sep 17 00:00:00 2001
From: Rob Browning <rlb@defaultvalue.org>
Date: Mon, 4 Apr 2011 22:46:33 -0500
Subject: [PATCH] prevent-string-stack-overflow.diff * The string and
 unibyte-string functions should no longer overflow the stack.   Patch:
 prevent-string-stack-overflow.diff   Provided-by: Carl Worth
 <cworth@debian.org>   Date: Sat, 19 Jun 2010 11:12:06 -0700   Added-by: Rob
 Browning <rlb@defaultvalue.org>   Status: incorporated upstream

  The Debian patch is taken from this upstream commit:

    revno: 99634.2.173
    committer: Chong Yidong <cyd@stupidchicken.com>
    branch nick: emacs-23
    timestamp: Tue 2010-05-18 14:01:10 -0400
    message:
      * character.c (Fstring, Funibyte_string): Use SAFE_ALLOCA to
      prevent stack overflow if number of arguments is too large
      (Bug#6214).
---
 src/ChangeLog   |  6 ++++++
 src/character.c | 30 ++++++++++++++++++++----------
 2 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 7510a54759b..c27cc246926 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,9 @@
+2010-05-18  Chong Yidong  <cyd@stupidchicken.com>
+
+	* character.c (Fstring, Funibyte_string): Use SAFE_ALLOCA to
+	prevent stack overflow if number of arguments is too large
+	(Bug#6214).
+
 2010-05-07  Chong Yidong  <cyd@stupidchicken.com>
 
 	* Version 23.2 released.
diff --git a/src/character.c b/src/character.c
index 5912a70d0ce..7cd1eedcef4 100644
--- a/src/character.c
+++ b/src/character.c
@@ -961,10 +961,13 @@ usage: (string &rest CHARACTERS)  */)
      int n;
      Lisp_Object *args;
 {
-  int i;
-  unsigned char *buf = (unsigned char *) alloca (MAX_MULTIBYTE_LENGTH * n);
-  unsigned char *p = buf;
-  int c;
+  int i, c;
+  unsigned char *buf, *p;
+  Lisp_Object str;
+  USE_SAFE_ALLOCA;
+
+  SAFE_ALLOCA (buf, unsigned char *, MAX_MULTIBYTE_LENGTH * n);
+  p = buf;
 
   for (i = 0; i < n; i++)
     {
@@ -973,7 +976,9 @@ usage: (string &rest CHARACTERS)  */)
       p += CHAR_STRING (c, p);
     }
 
-  return make_string_from_bytes ((char *) buf, n, p - buf);
+  str = make_string_from_bytes ((char *) buf, n, p - buf);
+  SAFE_FREE ();
+  return str;
 }
 
 DEFUN ("unibyte-string", Funibyte_string, Sunibyte_string, 0, MANY, 0,
@@ -983,10 +988,13 @@ usage: (unibyte-string &rest BYTES)  */)
      int n;
      Lisp_Object *args;
 {
-  int i;
-  unsigned char *buf = (unsigned char *) alloca (n);
-  unsigned char *p = buf;
-  unsigned c;
+  int i, c;
+  unsigned char *buf, *p;
+  Lisp_Object str;
+  USE_SAFE_ALLOCA;
+
+  SAFE_ALLOCA (buf, unsigned char *, n);
+  p = buf;
 
   for (i = 0; i < n; i++)
     {
@@ -997,7 +1005,9 @@ usage: (unibyte-string &rest BYTES)  */)
       *p++ = c;
     }
 
-  return make_string_from_bytes ((char *) buf, n, p - buf);
+  str = make_string_from_bytes ((char *) buf, n, p - buf);
+  SAFE_FREE ();
+  return str;
 }
 
 DEFUN ("char-resolve-modifiers", Fchar_resolve_modifiers,
-- 
2.30.2