Another fix for using pointer to buffer text

* src/search.c (Freplace_match): Move the call to BYTE_POS_ADDR
after the call to xpalloc, to avoid the danger of buffer text
relocation after its address was taken.  (Bug#24358)

1 files changed, 7 insertions, 2 deletions

diff --git a/src/search.c b/src/search.c
index 5c04916f92e..f8acd40fa08 100644
--- a/src/search.c
+++ b/src/search.c
@@ -2640,6 +2640,7 @@ since only regular expressions have distinguished subexpressions.  */)
           const unsigned char *add_stuff = NULL;
           ptrdiff_t add_len = 0;
           ptrdiff_t idx = -1;
+          ptrdiff_t begbyte;
 
           if (str_multibyte)
             {
@@ -2702,11 +2703,10 @@ since only regular expressions have distinguished subexpressions.  */)
              set up ADD_STUFF and ADD_LEN to point to it.  */
           if (idx >= 0)
             {
-              ptrdiff_t begbyte = CHAR_TO_BYTE (search_regs.start[idx]);
+              begbyte = CHAR_TO_BYTE (search_regs.start[idx]);
               add_len = CHAR_TO_BYTE (search_regs.end[idx]) - begbyte;
               if (search_regs.start[idx] < GPT && GPT < search_regs.end[idx])
                 move_gap_both (search_regs.start[idx], begbyte);
-              add_stuff = BYTE_POS_ADDR (begbyte);
             }
 
           /* Now the stuff we want to add to SUBSTED
@@ -2719,6 +2719,11 @@ since only regular expressions have distinguished subexpressions.  */)
                        add_len - (substed_alloc_size - substed_len),
                        STRING_BYTES_BOUND, 1);
 
+          /* We compute this after the call to xpalloc, because that
+             could cause buffer text be relocated when ralloc.c is used.  */
+          if (idx >= 0)
+            add_stuff = BYTE_POS_ADDR (begbyte);
+
           /* Now add to the end of SUBSTED.  */
           if (add_stuff)
             {