From ffcd777f8062fb24dff7c9d2a46547001e158b05 Mon Sep 17 00:00:00 2001
From: Antti Kantee <pooka@iki.fi>
Date: Fri, 16 Jan 2015 00:45:24 +0000
Subject: [PATCH] fix realloc() to use correct existing size

prevents memory corruption in certain realloc() scenarios
reported by @mato
---
 lib/memalloc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/memalloc.c b/lib/memalloc.c
index 239e961..8668d9a 100644
--- a/lib/memalloc.c
+++ b/lib/memalloc.c
@@ -473,7 +473,7 @@ memrealloc(void *cp, size_t nbytes)
 	alignpad = op->ov_alignpad;
 
 	/* don't bother "compacting".  don't like it?  don't use realloc! */
-	if (((1<<(size+MINSHIFT)) - (alignpad+sizeof(*op))) >= nbytes)
+	if (((1<<(size+MINSHIFT)) - alignpad) >= nbytes)
 		return cp;
 
 	/* we're gonna need a bigger bucket */
@@ -481,7 +481,7 @@ memrealloc(void *cp, size_t nbytes)
 	if (np == NULL)
 		return NULL;
 
-	memcpy(np, cp, (1<<(size+MINSHIFT)) - (alignpad+sizeof(*op)));
+	memcpy(np, cp, (1<<(size+MINSHIFT)) - alignpad);
 	memfree(cp);
 	return np;
 }
-- 
2.39.5