From 7e188ca7b0e51bf7ffda413cebc53da9ebfe0cd6 Mon Sep 17 00:00:00 2001
From: Philip <pipcet@gmail.com>
Date: Tue, 1 Sep 2015 10:12:31 +0000
Subject: [PATCH] Fix potential race conditions (bug #23380)

        * keyboard.c (timer_check): Call `block_input' around the creation
	of the temporary timer list copy.

	* fns.c (concat): Don't assume argument size remains unchanged
	after call to `Fmake_list'.
---
 src/fns.c      | 3 +++
 src/keyboard.c | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/src/fns.c b/src/fns.c
index 26a98ab..43ff550 100644
--- a/src/fns.c
+++ b/src/fns.c
@@ -744,6 +744,9 @@ concat (ptrdiff_t nargs, Lisp_Object *args,
 	    /* Store this element into the result.  */
 	    if (toindex < 0)
 	      {
+                if (EQ (tail, Qnil))
+                  break;
+
 		XSETCAR (tail, elt);
 		prev = tail;
 		tail = XCDR (tail);
diff --git a/src/keyboard.c b/src/keyboard.c
index dab32b1..4b7d675 100644
--- a/src/keyboard.c
+++ b/src/keyboard.c
@@ -4560,6 +4560,7 @@ timer_check (void)
 
   Lisp_Object tem = Vinhibit_quit;
   Vinhibit_quit = Qt;
+  block_input ();
 
   /* We use copies of the timers' lists to allow a timer to add itself
      again, without locking up Emacs if the newly added timer is
@@ -4573,6 +4574,7 @@ timer_check (void)
   else
     idle_timers = Qnil;
 
+  unblock_input ();
   Vinhibit_quit = tem;
 
   do
-- 
2.5.0