From 14ebe4d5dbd4e6637de227c8561aab22cf4b632c Mon Sep 17 00:00:00 2001
From: Pip Cet <pipcet@protonmail.com>
Date: Mon, 3 Feb 2025 20:40:34 +0000
Subject: [PATCH] Fix GC-related crashes in styled_format (bug#75754)

This approach ensures we don't use an SSDATA pointer after GC, and
that no Lisp callback code can modify the format string while we're
working on it.

* src/editfns.c (styled_format): Operate on a copy of the format
string rather than the original.  Ensure final NUL byte is copied.
---
 src/editfns.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/editfns.c b/src/editfns.c
index 4ba356d627c..f9258392146 100644
--- a/src/editfns.c
+++ b/src/editfns.c
@@ -3442,9 +3442,10 @@ styled_format (ptrdiff_t nargs, Lisp_Object *args, bool message)
   } *info;
 
   CHECK_STRING (args[0]);
-  char *format_start = SSDATA (args[0]);
   bool multibyte_format = STRING_MULTIBYTE (args[0]);
   ptrdiff_t formatlen = SBYTES (args[0]);
+  char *format_start = SAFE_ALLOCA (formatlen + 1);
+  memcpy (format_start, SSDATA (args[0]), formatlen + 1);
   bool fmt_props = !!string_intervals (args[0]);
 
   /* Upper bound on number of format specs.  Each uses at least 2 chars.  */