Fix recently introduced bool vector overrun.

This was due to an optimization that went awry.
Reported by Glenn Morris in
<http://lists.gnu.org/archive/html/emacs-devel/2013-11/msg00622.html>.
* alloc.c (make_uninit_bool_vector): Don't allocate a dummy word
for empty vectors, undoing the 2013-11-18 change.
* data.c (bool_vector_binop_driver): Rely on this.
Fix bug that occasionally overran the destination.
* lisp.h (struct Lisp_Bool_vector): Document this.

1 files changed, 4 insertions, 5 deletions

diff --git a/src/alloc.c b/src/alloc.c
index 7c560fd0f0d..283bc613c82 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -2066,8 +2066,7 @@ Lisp_Object
 make_uninit_bool_vector (EMACS_INT nbits)
 {
   Lisp_Object val;
-  EMACS_INT words0 = bool_vector_words (nbits);
-  EMACS_INT words = words0 + !words0;  /* Allocate at least one word.  */
+  EMACS_INT words = bool_vector_words (nbits);
   EMACS_INT word_bytes = words * sizeof (bits_word);
   EMACS_INT needed_elements = ((bool_header_size - header_size + word_bytes
                                 + word_size - 1)
@@ -2078,9 +2077,9 @@ make_uninit_bool_vector (EMACS_INT nbits)
   XSETPVECTYPESIZE (XVECTOR (val), PVEC_BOOL_VECTOR, 0, 0);
   p->size = nbits;
 
-  /* Clear padding at the end.  If NBITS != 0 this initializes more
-     than it needs to, but that's OK.  */
-  p->data[words - 1] = 0;
+  /* Clear padding at the end.  */
+  if (words)
+    p->data[words - 1] = 0;
 
   return val;
 }