From 1211cf79ccb7d9bc23e4acec6aac2db44321577c Mon Sep 17 00:00:00 2001
From: tg <tg@mirbsd.org>
Date: Wed, 12 Nov 2008 05:27:01 +0000
Subject: [PATCH] =?UTF-8?q?=E2=80=A2=20bp->last=20=3D=3D=20bp->endp=20is?=
 =?UTF-8?q?=20allowed=20=E2=80=A2=20do=20the=20realloc=20properly?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 aalloc.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/aalloc.c b/aalloc.c
index a7d97e6..d439cf0 100644
--- a/aalloc.c
+++ b/aalloc.c
@@ -1,6 +1,6 @@
 #include "sh.h"
 
-__RCSID("$MirOS: src/bin/mksh/aalloc.c,v 1.4 2008/11/12 05:11:05 tg Exp $");
+__RCSID("$MirOS: src/bin/mksh/aalloc.c,v 1.5 2008/11/12 05:27:01 tg Exp $");
 
 /* mksh integration of aalloc */
 
@@ -224,7 +224,7 @@ check_bp(PArea ap, const char *funcname, TCookie ocookie)
 		    funcname, bp, bp->endp);
 		return (NULL);
 	}
-	if ((bp->last < (char *)&bp->storage) || (bp->last >= bp->endp)) {
+	if ((bp->last < (char *)&bp->storage) || (bp->last > bp->endp)) {
 		AALLOC_WARN("%s: block %p last pointer out of bounds: "
 		    "%p < %p < %p", funcname, bp, &bp->storage, bp->last,
 		    bp->endp);
@@ -354,6 +354,8 @@ alloc(size_t nmemb, size_t size, PArea ap)
 		bsz = bp->endp - (char *)bp;
 		safe_muladd((size_t)2, bsz, 0);
 		safe_realloc(bp, bsz);
+		bp->last = (char *)bp + (bsz / 2);
+		bp->endp = (char *)bp + bsz;
 
 		/* “bp” has possibly changed, enter its new value into ap */
 		ap->bp.pv = (char *)bp;