* A bug in the supplied realloc() replacement could result in heap

corruption. (No resulting failures have been observed with ex so far.)

mapmalloc.c

@@ -1,8 +1,7 @@
 /*
  * AT&T Unix 7th Edition memory allocation routines.
  *
- * Modified for ex by Gunnar Ritter, Freiburg i. Br., Germany,
- * February 2005.
+ * Modified by Gunnar Ritter, Freiburg i. Br., Germany, February 2005.
  *
  * Copyright(C) Caldera International Inc. 2001-2002. All rights reserved.
  *
@@ -36,7 +35,7 @@
  * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
  * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- *	Sccsid @(#)mapmalloc.c	1.6 (gritter) 6/19/05
+ *	Sccsid @(#)mapmalloc.c	1.7 (gritter) 8/18/05
  */
 
 #ifdef	VMUNIX
@@ -201,8 +200,8 @@ map(void *addr, size_t len)
 	return(mmap(addr,len,PROT_READ|PROT_WRITE,flags,fd,0));
 }
 
-void *
-malloc(size_t nbytes)
+static void *
+mallock(size_t nbytes, union store *start, union store *end)
 {
 	register union store *p, *q;
 	struct pool *o;
@@ -240,7 +239,9 @@ first:	if(allocs[0].ptr==0) {	/*first time for this pool*/
 					if (ua)
 						allocp = p->ptr;
 				}
-				if(q>=p+nw && p+nw>=p)
+				if(q>=p+nw && p+nw>=p && (start==NULL ||
+						p+nw<start || p>end ||
+						p+2==start))
 					goto found;
 			}
 			q = p;
@@ -303,6 +304,12 @@ found:
 	return(p+2);
 }
 
+void *
+malloc(size_t nbytes)
+{
+	return mallock(nbytes, NULL, NULL);
+}
+
 /*	freeing strategy tuned for LIFO allocation
 */
 void 
@@ -350,7 +357,7 @@ realloc(void *ap, size_t nbytes)
 		free(p);
 	onw = p[-2].ptr - p;
 	o = p[-1].pool;
-	q = malloc(nbytes);
+	q = mallock(nbytes, p, &p[onw]);
 	if(q==NULL || q==p)
 		return(q);
 	s = p;