Avoid crashing with key-chord (Bug#20223)

 src/keyboard.c (read_key_sequence): Don't let
 this_single_command_key_start become negative.

diff --git a/src/ChangeLog b/src/ChangeLog
index f0ed9e74745d2e6920ba6e1ef3e4901d23101a09..7c7892a3fe847d126c9dc189c805712d7ba46f05 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2015-03-31  Eli Zaretskii  <eliz@gnu.org>
+
+       * keyboard.c (read_key_sequence): Don't let
+       this_single_command_key_start become negative.  (Bug#20223)
+
 2015-03-29  Jan Djärv  <jan.h.d@swipnet.se>
 
        * gtkutil.c (xg_display_open):

diff --git a/src/keyboard.c b/src/keyboard.c
index bf65df1584c628bbb950e9b0a365abd4016f3c87..2d047da5511147929db6aef495a5aff448a449a3 100644 (file)
--- a/src/keyboard.c
+++ b/src/keyboard.c
@@ -9591,6 +9591,18 @@ read_key_sequence (Lisp_Object *keybuf, int bufsize, Lisp_Object prompt,
 
       /* Record what part of this_command_keys is the current key sequence.  */
       this_single_command_key_start = this_command_key_count - t;
+      /* When 'input-method-function' called above causes events to be
+        put on 'unread-post-input-method-events', and as result
+        'reread' is set to 'true', the value of 't' can become larger
+        than 'this_command_key_count', because 'add_command_key' is
+        not called to update 'this_command_key_count'.  If this
+        happens, 'this_single_command_key_start' will become negative
+        above, and any call to 'this-single-command-keys' will return
+        a garbled vector.  See bug #20223 for one such situation.
+        Here we force 'this_single_command_key_start' to never become
+        negative, to avoid that.  */
+      if (this_single_command_key_start < 0)
+       this_single_command_key_start = 0;
 
       /* Look for this sequence in input-decode-map.
         Scan from indec.end until we find a bound suffix.  */