$OpenBSD: patch-modules_access_rtsp_real_c,v 1.1 2012/03/21 08:27:29 ajacoutot Exp $

Fix heap overflows. SA-1202

--- modules/access/rtsp/real.c.orig	Thu Apr 15 12:56:07 2010
+++ modules/access/rtsp/real.c	Tue Mar 20 16:32:47 2012
@@ -351,6 +351,7 @@ static void real_calc_response_and_checksum (char *res
     chksum[i] = response[i*4];
 }
 
+#define MLTI_BUF_MAX_SIZE 2048
 
 /*
  * takes a MLTI-Chunk and a rule number got from match_asm_rule,
@@ -368,7 +369,7 @@ static int select_mlti_data(const char *mlti_chunk, in
       ||(mlti_chunk[3] != 'I'))
   {
     lprintf("MLTI tag not detected, copying data\n");
-    memcpy(*out, mlti_chunk, mlti_size);
+    memcpy(*out, mlti_chunk, __MIN(mlti_size,MLTI_BUF_MAX_SIZE));
     return mlti_size;
   }
 
@@ -405,7 +406,7 @@ static int select_mlti_data(const char *mlti_chunk, in
   }
   size=BE_32(mlti_chunk);
 
-  memcpy(*out, mlti_chunk+4, size);
+  memcpy(*out, mlti_chunk+4, __MIN(size,MLTI_BUF_MAX_SIZE));
   return size;
 }
 
@@ -430,7 +431,7 @@ static rmff_header_t *real_parse_sdp(char *data, char 
   desc=sdpplin_parse(data);
   if( !desc ) return NULL;
 
-  buf= (char *)malloc(2048);
+  buf= (char *)malloc(MLTI_BUF_MAX_SIZE);
   if( !buf ) goto error;
 
   header = calloc( 1, sizeof(rmff_header_t) );