From 6327c4b01869fd7c3f3457810aaabfab73b40ed5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= <remi@remlab.net>
Date: Sun, 10 Jul 2011 23:36:31 +0300
Subject: [PATCH 1/2] real: fix heap buffer overflow (CVE-2011-2587)

---
 modules/demux/real.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/demux/real.c b/modules/demux/real.c
index 269ded3..b0e2677 100644
--- a/modules/demux/real.c
+++ b/modules/demux/real.c
@@ -841,7 +841,8 @@ static void DemuxAudioSipr( demux_t *p_demux, real_track_t *tk, mtime_t i_pts )
     demux_sys_t *p_sys = p_demux->p_sys;
     block_t *p_block = tk->p_sipr_packet;
 
-    if( p_sys->i_buffer < tk->i_frame_size )
+    if( p_sys->i_buffer < tk->i_frame_size
+     || tk->i_sipr_subpacket_count >= tk->i_subpacket_h )
         return;
 
     if( !p_block )
@@ -851,7 +852,6 @@ static void DemuxAudioSipr( demux_t *p_demux, real_track_t *tk, mtime_t i_pts )
             return;
         tk->p_sipr_packet = p_block;
     }
-
     memcpy( p_block->p_buffer + tk->i_sipr_subpacket_count * tk->i_frame_size,
             p_sys->buffer, tk->i_frame_size );
     if (!tk->i_sipr_subpacket_count)
-- 
1.7.5.4