--- ray/src/common/malloc.c	1991/12/13 10:28:42	2.2
+++ ray/src/common/malloc.c	1992/09/04 09:57:43	2.6
@@ -1,4 +1,4 @@
-/* Copyright (c) 1991 Regents of the University of California */
+/* Copyright (c) 1992 Regents of the University of California */
 
 #ifndef lint
 static char SCCSid[] = "$SunId$ LBL";
@@ -24,9 +24,11 @@ static char SCCSid[] = "$SunId$ LBL";
 
 #include  <errno.h>
 
+extern int	errno;
+
 #ifdef MSTATS
 #include  <stdio.h>
-static unsigned b_nsbrked = 0;
+static unsigned	b_nsbrked = 0;
 static unsigned	b_nalloced = 0;
 static unsigned	b_nfreed = 0;
 static unsigned	b_nscrounged = 0;
@@ -65,8 +67,12 @@ static M_HEAD	*free_list[NBUCKETS];
 
 static ALIGN	dummy_mem;
 
+static char	*memlim[2];
+
 #define DUMMYLOC	((char *)&dummy_mem)
 
+#define BADPTR(p)	((p) < memlim[0] | (p) >= memlim[1])
+
 #ifdef  MCOMP			/* memory compaction routines */
 static char	seedtab[1024];		/* seed for compaction table */
 
@@ -233,12 +239,16 @@ register unsigned  n;
 		pagesz = amnt = getpagesize();
 		nrem = (int)sbrk(0);			/* page align break */
 		nrem = pagesz - (nrem&(pagesz-1));
-		bpos = sbrk(nrem);			/* word aligned! */
+		bpos = sbrk(nrem);
 		if ((int)bpos == -1)
 			return(NULL);
 #ifdef MSTATS
 		b_nsbrked += nrem;
 #endif
+		bpos += nrem & (BYTES_WORD-1);		/* align pointer */
+		nrem &= ~(BYTES_WORD-1);
+		memlim[0] = bpos;
+		memlim[1] = bpos + nrem;
 	}
 
 	n = (n+(BYTES_WORD-1))&~(BYTES_WORD-1);		/* word align rqst. */
@@ -266,6 +276,10 @@ register unsigned  n;
 			nrem = thisamnt;
 		} else					/* otherwise tack on */
 			nrem += thisamnt;
+		if (bpos < memlim[0])
+			memlim[0] = bpos;
+		if (bpos + nrem > memlim[1])
+			memlim[1] = bpos + nrem;
 	}
 	p = bpos;
 	bpos += n;					/* advance */
@@ -295,6 +309,10 @@ register unsigned  n;
 		p += bsiz;
 		n -= bsiz;
 	}
+	if (p < memlim[0])
+		memlim[0] = p;
+	if (p + n > memlim[1])
+		memlim[1] = p + n;
 					/* fill big buckets first */
 	for (bucket = NBUCKETS-1, bsiz = 1<<(NBUCKETS-1);
 			bucket >= FIRSTBUCKET; bucket--, bsiz >>= 1)
@@ -311,7 +329,6 @@ char *
 malloc(n)			/* allocate n bytes of memory */
 unsigned	n;
 {
-	extern int  errno;
 	register M_HEAD	*mp;
 	register int	bucket;
 	register unsigned	bsiz;
@@ -353,14 +370,15 @@ unsigned	n;
 	char	*p;
 	register unsigned	on;
 					/* get old size */
-	if (op != NULL && op != DUMMYLOC && ((M_HEAD *)op-1)->a.magic == MAGIC)
+	if (op != DUMMYLOC && !BADPTR(op) &&
+			((M_HEAD *)op-1)->a.magic == MAGIC)
 		on = 1 << ((M_HEAD *)op-1)->a.bucket;
 	else
 		on = 0;
 	if (n <= on && (n > on>>1 || on == 1<<FIRSTBUCKET))
 		return(op);		/* same bucket */
 	if ((p = malloc(n)) == NULL)
-		return(NULL);
+		return(n<=on ? op : NULL);
 	if (on) {
 #ifdef  BSD
 		bcopy(op, p, n>on ? on : n);
@@ -379,20 +397,25 @@ char	*p;
 	register M_HEAD	*mp;
 	register int	bucket;
 
-	if (p == NULL | p == DUMMYLOC)
+	if (p == DUMMYLOC)
 		return(1);
+	if (BADPTR(p))
+		goto invalid;
 	mp = (M_HEAD *)p - 1;
 	if (mp->a.magic != MAGIC)		/* sanity check */
-		return(0);
+		goto invalid;
 	bucket = mp->a.bucket;
 	if (bucket < FIRSTBUCKET | bucket >= NBUCKETS)
-		return(0);
+		goto invalid;
 	mp->next = free_list[bucket];
 	free_list[bucket] = mp;
 #ifdef MSTATS
 	m_nfreed += (1 << bucket) + sizeof(M_HEAD);
 #endif
 	return(1);
+invalid:
+	errno = EINVAL;
+	return(0);
 }