From ebdc80316a464f7e6f827f8b79570e47a8ef4812 Mon Sep 17 00:00:00 2001
From: Eli Zaretskii <eliz@gnu.org>
Date: Tue, 20 May 2014 19:28:39 +0300
Subject: [PATCH] Fix bug #17524 with crashes in creating a new frame with
 invalid font.

 src/w32fns.c (unwind_create_frame) [GLYPH_DEBUG]: If we are
 unwinding when frame's faces were not initialized yet, increment
 the frame's image-cache reference count before calling
 x_free_frame_resources.  Don't dereference
 dpyinfo->terminal->image_cache if it is NULL.
---
 src/ChangeLog |  8 ++++++++
 src/w32fns.c  | 14 +++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 2283677a448..cb54bbd0e70 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,11 @@
+2014-05-20  Eli Zaretskii  <eliz@gnu.org>
+
+	* w32fns.c (unwind_create_frame) [GLYPH_DEBUG]: If we are
+	unwinding when frame's faces were not initialized yet, increment
+	the frame's image-cache reference count before calling
+	x_free_frame_resources.  Don't dereference
+	dpyinfo->terminal->image_cache if it is NULL.  (Bug#17524)
+
 2014-05-11  Glenn Morris  <rgm@gnu.org>
 
 	* fileio.c (Ffile_executable_p): Doc tweak.
diff --git a/src/w32fns.c b/src/w32fns.c
index 630059c38f1..638c617df99 100644
--- a/src/w32fns.c
+++ b/src/w32fns.c
@@ -4245,6 +4245,17 @@ unwind_create_frame (Lisp_Object frame)
     {
 #ifdef GLYPH_DEBUG
       struct w32_display_info *dpyinfo = FRAME_DISPLAY_INFO (f);
+
+      /* If the frame's image cache refcount is still the same as our
+	 private shadow variable, it means we are unwinding a frame
+	 for which we didn't yet call init_frame_faces, where the
+	 refcount is incremented.  Therefore, we increment it here, so
+	 that free_frame_faces, called in x_free_frame_resources
+	 below, will not mistakenly decrement the counter that was not
+	 incremented yet to account for this new frame.  */
+      if (FRAME_IMAGE_CACHE (f) != NULL
+	  && FRAME_IMAGE_CACHE (f)->refcount == image_cache_refcount)
+	FRAME_IMAGE_CACHE (f)->refcount++;
 #endif
 
       x_free_frame_resources (f);
@@ -4255,7 +4266,8 @@ unwind_create_frame (Lisp_Object frame)
       eassert (dpyinfo->reference_count == dpyinfo_refcount);
       eassert ((dpyinfo->terminal->image_cache == NULL
 		&& image_cache_refcount == 0)
-	       || dpyinfo->terminal->image_cache->refcount == image_cache_refcount);
+	       || (dpyinfo->terminal->image_cache != NULL
+		   && dpyinfo->terminal->image_cache->refcount == image_cache_refcount));
 #endif
       return Qt;
     }
-- 
2.11.4.GIT