--- ray/src/common/malloc.c	1992/02/07 15:10:32	2.3
+++ ray/src/common/malloc.c	1992/09/04 18:36:05	2.7
@@ -24,9 +24,17 @@ static char SCCSid[] = "$SunId$ LBL";
 
 #include  <errno.h>
 
+extern int	errno;
+
+#ifndef  BSD
+#define  bcopy(s,d,n)		(void)memcpy(d,s,n)
+#define  bzero(d,n)		(void)memset(d,0,n)
+extern char  *memcpy(), *memset();
+#endif
+
 #ifdef MSTATS
 #include  <stdio.h>
-static unsigned b_nsbrked = 0;
+static unsigned	b_nsbrked = 0;
 static unsigned	b_nalloced = 0;
 static unsigned	b_nfreed = 0;
 static unsigned	b_nscrounged = 0;
@@ -65,8 +73,12 @@ static M_HEAD	*free_list[NBUCKETS];
 
 static ALIGN	dummy_mem;
 
+static char	*memlim[2];
+
 #define DUMMYLOC	((char *)&dummy_mem)
 
+#define BADPTR(p)	((p) < memlim[0] | (p) >= memlim[1])
+
 #ifdef  MCOMP			/* memory compaction routines */
 static char	seedtab[1024];		/* seed for compaction table */
 
@@ -163,7 +175,7 @@ unsigned	*np;
 			big->siz = 0;		/* remove from table */
 			return(big->ptr);	/* return it */
 		}
-		if (mtablen(big) < tablen+1) {
+		if (mtablen(big) <= tablen) {
 			*np = 0;		/* cannot grow table */
 			return(NULL);		/* report failure */
 		}
@@ -173,17 +185,10 @@ unsigned	*np;
 		cptab.ptr = big->ptr;
 		cptab.siz = big->siz;
 		big->siz = 0;			/* clear and copy */
-#ifdef BSD
 		bcopy((char *)tab, (char *)(mtab(&cptab)+1),
 				tablen*sizeof(struct mblk));
 		bzero((char *)(mtab(&cptab)+tablen+1),
 			(mtablen(&cptab)-tablen-1)*sizeof(struct mblk));
-#else
-		(void)memcpy((char *)(mtab(&cptab)+1), (char *)tab,
-				tablen*sizeof(struct mblk));
-		memset((char *)(mtab(&cptab)+tablen+1), 0,
-			(mtablen(&cptab)-tablen-1)*sizeof(struct mblk));
-#endif
 	}			/* next round */
 }
 #endif		/* MCOMP */
@@ -239,11 +244,10 @@ register unsigned  n;
 #ifdef MSTATS
 		b_nsbrked += nrem;
 #endif
-		thisamnt = BYTES_WORD - ((unsigned)bpos&(BYTES_WORD-1));
-		if (thisamnt < BYTES_WORD) {		/* align pointer */
-			bpos += thisamnt;
-			nrem -= thisamnt;
-		}
+		bpos += nrem & (BYTES_WORD-1);		/* align pointer */
+		nrem &= ~(BYTES_WORD-1);
+		memlim[0] = bpos;
+		memlim[1] = bpos + nrem;
 	}
 
 	n = (n+(BYTES_WORD-1))&~(BYTES_WORD-1);		/* word align rqst. */
@@ -271,6 +275,10 @@ register unsigned  n;
 			nrem = thisamnt;
 		} else					/* otherwise tack on */
 			nrem += thisamnt;
+		if (bpos < memlim[0])
+			memlim[0] = bpos;
+		if (bpos + nrem > memlim[1])
+			memlim[1] = bpos + nrem;
 	}
 	p = bpos;
 	bpos += n;					/* advance */
@@ -300,6 +308,10 @@ register unsigned  n;
 		p += bsiz;
 		n -= bsiz;
 	}
+	if (p < memlim[0])
+		memlim[0] = p;
+	if (p + n > memlim[1])
+		memlim[1] = p + n;
 					/* fill big buckets first */
 	for (bucket = NBUCKETS-1, bsiz = 1<<(NBUCKETS-1);
 			bucket >= FIRSTBUCKET; bucket--, bsiz >>= 1)
@@ -316,7 +328,6 @@ char *
 malloc(n)			/* allocate n bytes of memory */
 unsigned	n;
 {
-	extern int  errno;
 	register M_HEAD	*mp;
 	register int	bucket;
 	register unsigned	bsiz;
@@ -358,20 +369,17 @@ unsigned	n;
 	char	*p;
 	register unsigned	on;
 					/* get old size */
-	if (op != NULL && op != DUMMYLOC && ((M_HEAD *)op-1)->a.magic == MAGIC)
+	if (op != DUMMYLOC && !BADPTR(op) &&
+			((M_HEAD *)op-1)->a.magic == MAGIC)
 		on = 1 << ((M_HEAD *)op-1)->a.bucket;
 	else
 		on = 0;
 	if (n <= on && (n > on>>1 || on == 1<<FIRSTBUCKET))
 		return(op);		/* same bucket */
 	if ((p = malloc(n)) == NULL)
-		return(NULL);
+		return(n<=on ? op : NULL);
 	if (on) {
-#ifdef  BSD
 		bcopy(op, p, n>on ? on : n);
-#else
-		(void)memcpy(p, op, n>on ? on : n);
-#endif
 		free(op);
 	}
 	return(p);
@@ -384,20 +392,25 @@ char	*p;
 	register M_HEAD	*mp;
 	register int	bucket;
 
-	if (p == NULL | p == DUMMYLOC)
+	if (p == DUMMYLOC)
 		return(1);
+	if (BADPTR(p))
+		goto invalid;
 	mp = (M_HEAD *)p - 1;
 	if (mp->a.magic != MAGIC)		/* sanity check */
-		return(0);
+		goto invalid;
 	bucket = mp->a.bucket;
 	if (bucket < FIRSTBUCKET | bucket >= NBUCKETS)
-		return(0);
+		goto invalid;
 	mp->next = free_list[bucket];
 	free_list[bucket] = mp;
 #ifdef MSTATS
 	m_nfreed += (1 << bucket) + sizeof(M_HEAD);
 #endif
 	return(1);
+invalid:
+	errno = EINVAL;
+	return(0);
 }