fix realloc() to use correct existing size

prevents memory corruption in certain realloc() scenarios
reported by @mato

diff --git a/lib/memalloc.c b/lib/memalloc.c
index 239e9617ef5de25047478d917813688032605c0b..8668d9a2eaf62a33e611f2cfc63a2fbe971e4dd4 100644 (file)
--- a/lib/memalloc.c
+++ b/lib/memalloc.c
@@ -473,7 +473,7 @@ memrealloc(void *cp, size_t nbytes)
        alignpad = op->ov_alignpad;
 
        /* don't bother "compacting".  don't like it?  don't use realloc! */
-       if (((1<<(size+MINSHIFT)) - (alignpad+sizeof(*op))) >= nbytes)
+       if (((1<<(size+MINSHIFT)) - alignpad) >= nbytes)
                return cp;
 
        /* we're gonna need a bigger bucket */
@@ -481,7 +481,7 @@ memrealloc(void *cp, size_t nbytes)
        if (np == NULL)
                return NULL;
 
-       memcpy(np, cp, (1<<(size+MINSHIFT)) - (alignpad+sizeof(*op)));
+       memcpy(np, cp, (1<<(size+MINSHIFT)) - alignpad);
        memfree(cp);
        return np;
 }