--- a/src/ChangeLog	Thu Mar 12 00:59:27 2015 +0000
+++ b/src/ChangeLog	Thu Mar 12 23:31:42 2015 +0000
@@ -1,3 +1,12 @@
+2015-03-12  Aidan Kehoe  <kehoea@parhasard.net>
+
+	* event-stream.c (lookup_command_event):
+	Check whether echo_buf_fill_pointer is negative before using it in
+	arithmetic, avoiding a crash in GC.
+	Oddly the old code didn't do this check and didn't crash, but its
+	echo_buf was from malloced memory, not from our string data, so
+	there may have been more room to manoeuvre.
+
 2015-03-04  Aidan Kehoe  <kehoea@parhasard.net>
 
 	* sequence.c (count_with_tail):

--- a/src/event-stream.c	Thu Mar 12 00:59:27 2015 +0000
+++ b/src/event-stream.c	Thu Mar 12 23:31:42 2015 +0000
@@ -4067,10 +4067,11 @@
 #endif
 	  {
 	    Lisp_Object prompt = Fkeymap_prompt (leaf, Qt);
-	    if (STRINGP (prompt))
+	    if (STRINGP (prompt) && STRINGP (command_builder->echo_buf))
 	      {
 		/* Append keymap prompt to key echo buffer */
-		int buf_fill_pointer = command_builder->echo_buf_fill_pointer;
+		Bytecount buf_fill_pointer
+                  = max (command_builder->echo_buf_fill_pointer, 0);
 		Bytecount len = XSTRING_LENGTH (prompt);
 
 		if (len + buf_fill_pointer + 1
@@ -4090,7 +4091,8 @@
                     /* Show the keymap prompt, but don't adjust the fill
                        pointer to reflect it. */
                     command_builder->echo_buf_end
-                      = command_builder->echo_buf_fill_pointer + len;
+                      = buf_fill_pointer + len;
+                    command_builder->echo_buf_fill_pointer = buf_fill_pointer;
 		  }
 		maybe_echo_keys (command_builder, 1);
 	      }