diff --git a/CHANGES b/CHANGES
index c82695ca94..43a779680e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+ 862.	[bug]		Use after realloc(), non portable pointer arithmetic in
+			grmerge().
+
  861.	[port]		Add support for Mac OS X, by making it equivalent
  			to Darwin.  This was derived from the config.guess
 			file shipped with Mac OS X. [RT #1355]
diff --git a/lib/bind/irs/gen_gr.c b/lib/bind/irs/gen_gr.c
index adf707ebc3..d9b498fe3e 100644
--- a/lib/bind/irs/gen_gr.c
+++ b/lib/bind/irs/gen_gr.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_gr.c,v 1.2 2001/05/25 03:32:40 marka Exp $";
+static const char rcsid[] = "$Id: gen_gr.c,v 1.3 2001/06/07 00:22:35 marka Exp $";
 #endif
 
 /* Imports */
@@ -324,8 +324,9 @@ gr_res_set(struct irs_gr *this, struct __res_state *res,
 static void
 grmerge(struct irs_gr *this, const struct group *src, int preserve) {
 	struct pvt *pvt = (struct pvt *)this->private;
-	char *cp, **m, **p;
-	int n, ndst, nnew, memadj;
+	char *cp, **m, **p, *oldmembuf;
+	int n, ndst, nnew;
+	size_t used;
 
 	if (!preserve) {
 		pvt->group.gr_gid = src->gr_gid;
@@ -372,18 +373,23 @@ grmerge(struct irs_gr *this, const struct group *src, int preserve) {
 		/* No work to do. */
 		return;
 	}
-	cp = realloc(pvt->membuf, (preserve ? pvt->membufsize : 0) + n);
+	used = preserve ? pvt->membufsize : 0;
+	cp = realloc(pvt->membuf, used + n);
 	if (!cp) {
 		/* No harm done, no work done. */
 		return;
 	}
-	memadj = cp - pvt->membuf;
+	oldmembuf = pvt->membuf;
 	pvt->membuf = cp;
-	if (preserve) {
-		cp += pvt->membufsize;
-		pvt->membufsize += n;
-	} else
-		pvt->membufsize = n;
+	pvt->membufsize = used + n;
+	cp += used;
+
+	/*
+	 * Adjust group.gr_mem.
+	 */
+	if (pvt->membuf != oldmembuf)
+		for (m = pvt->group.gr_mem; *m; m++)
+			*m = pvt->membuf + (*m - oldmembuf);
 
 	/*
 	 * Add new elements.
@@ -396,8 +402,10 @@ grmerge(struct irs_gr *this, const struct group *src, int preserve) {
 			cp += strlen(cp) + 1;
 		}
 	if (preserve) {
-		pvt->group.gr_name += memadj;
-		pvt->group.gr_passwd += memadj;
+		pvt->group.gr_name = pvt->membuf + 
+				     (pvt->group.gr_name - oldmembuf);
+		pvt->group.gr_passwd = pvt->membuf + 
+				       (pvt->group.gr_passwd - oldmembuf);
 	} else {
 		pvt->group.gr_name = cp;
 		strcpy(cp, src->gr_name);