3 files changed, 21 insertions, 6 deletions

diff --git a/src/gmalloc.c b/src/gmalloc.c
index 33d424fe9af..6ca35ec5f15 100644
--- a/src/gmalloc.c
+++ b/src/gmalloc.c
@@ -35,10 +35,6 @@ License along with this library.  If not, see <http://www.gnu.org/licenses/>.
 #include <pthread.h>
 #endif
 
-#ifdef WINDOWSNT
-#include <w32heap.h>	/* for sbrk */
-#endif
-
 #ifdef emacs
 # include "lisp.h"
 #endif
diff --git a/src/search.c b/src/search.c
index bcb5ee95edb..127a57ab1db 100644
--- a/src/search.c
+++ b/src/search.c
@@ -1226,6 +1226,8 @@ search_buffer (Lisp_Object string, ptrdiff_t pos, ptrdiff_t pos_byte,
 			      ? &search_regs : &search_regs_1),
 			     /* Don't allow match past current point */
 			     pos_byte - BEGV_BYTE);
+	  /* Update 'base' due to possible relocation inside re_search_2.  */
+	  base = current_buffer->text->beg;
 	  if (val == -2)
 	    {
 	      matcher_overflow ();
@@ -1272,6 +1274,8 @@ search_buffer (Lisp_Object string, ptrdiff_t pos, ptrdiff_t pos_byte,
 			     (NILP (Vinhibit_changing_match_data)
 			      ? &search_regs : &search_regs_1),
 			     lim_byte - BEGV_BYTE);
+	  /* Update 'base' due to possible relocation inside re_search_2.  */
+	  base = current_buffer->text->beg;
 	  if (val == -2)
 	    {
 	      matcher_overflow ();
diff --git a/src/xml.c b/src/xml.c
index 03e9053f297..7d61dc7413e 100644
--- a/src/xml.c
+++ b/src/xml.c
@@ -181,6 +181,7 @@ parse_region (Lisp_Object start, Lisp_Object end, Lisp_Object base_url,
   Lisp_Object result = Qnil;
   const char *burl = "";
   ptrdiff_t istart, iend, istart_byte, iend_byte;
+  unsigned char *buftext;
 
   xmlCheckVersion (LIBXML_VERSION);
 
@@ -200,18 +201,32 @@ parse_region (Lisp_Object start, Lisp_Object end, Lisp_Object base_url,
       burl = SSDATA (base_url);
     }
 
+  buftext = BYTE_POS_ADDR (istart_byte);
+#ifdef REL_ALLOC
+  /* Prevent ralloc.c from relocating the current buffer while libxml2
+     functions below read its text.  */
+  r_alloc_inhibit_buffer_relocation (1);
+#endif
   if (htmlp)
-    doc = htmlReadMemory ((char *) BYTE_POS_ADDR (istart_byte),
+    doc = htmlReadMemory ((char *)buftext,
 			  iend_byte - istart_byte, burl, "utf-8",
 			  HTML_PARSE_RECOVER|HTML_PARSE_NONET|
 			  HTML_PARSE_NOWARNING|HTML_PARSE_NOERROR|
 			  HTML_PARSE_NOBLANKS);
   else
-    doc = xmlReadMemory ((char *) BYTE_POS_ADDR (istart_byte),
+    doc = xmlReadMemory ((char *)buftext,
 			 iend_byte - istart_byte, burl, "utf-8",
 			 XML_PARSE_NONET|XML_PARSE_NOWARNING|
 			 XML_PARSE_NOBLANKS |XML_PARSE_NOERROR);
 
+#ifdef REL_ALLOC
+  r_alloc_inhibit_buffer_relocation (0);
+#endif
+  /* If the assertion below fails, malloc was called inside the above
+     libxml2 functions, and ralloc.c caused relocation of buffer text,
+     so we could have read from unrelated memory.  */
+  eassert (buftext == BYTE_POS_ADDR (istart_byte));
+
   if (doc != NULL)
     {
       Lisp_Object r = Qnil;