bug#58334: 29.0.50; ASAN heap use after free in gui_produce_glyphs

[Po Lu]

Gerd Möllmann <gerd.moellmann@gmail.com> writes:

> int count = inhibit_garbahe_collection ();
> redisplay ();
> unbind_to...

Why would you only inhibit garbage collection there?  What if some
finalizer function calls preedit text inside process_pending_signals?

Also, what about where we decode X preconversion text?

In the recent past, Emacs also used to run Lisp as part of the character
conversion of keyboard input, straight from handle_one_xevent:

            if (nchars < nbytes)
              {
                /* Decode the input data.  */

                /* The input should be decoded with `coding_system'
                   which depends on which X*LookupString function
                   we used just above and the locale.  */
                setup_coding_system (coding_system, &coding);
                coding.src_multibyte = false;
                coding.dst_multibyte = true;
                /* The input is converted to events, thus we can't
                   handle composition.  Anyway, there's no XIM that
                   gives us composition information.  */
                coding.common_flags &= ~CODING_ANNOTATION_MASK;

                SAFE_NALLOCA (coding.destination, MAX_MULTIBYTE_LENGTH,
                              nbytes);
                coding.dst_bytes = MAX_MULTIBYTE_LENGTH * nbytes;
                coding.mode |= CODING_MODE_LAST_BLOCK;
                decode_coding_c_string (&coding, copy_bufptr, nbytes, Qnil);
                nbytes = coding.produced;
                nchars = coding.produced_char;
                copy_bufptr = coding.destination;
              }

How come that never caused problems?

Thanks.