Potential Integer Overflow vulnerability in upnphttp.c

[KSB21ST]

Hi,
It seems that there exists a potential integer overflow. Please find the following description:

1. n can be an arbitrary large number
   

   minidlna/upnphttp.c

   Line 1042 in eff7761

   n = recv(h->socket, buf, 2048, 0);

2. h->req_buflen is added to n
   

   minidlna/upnphttp.c

   Line 1060 in eff7761

   h->req_buflen += n;

3. Process_upnphttp(...) is called again
   

   minidlna/minidlna.c

   Line 1180 in eff7761

   Process_upnphttp(e);

4. Call to realloc with the large integer can cause a memory allocation with an overflowed size
   

   minidlna/upnphttp.c

   Line 1088 in eff7761

   h->req_buf = (char *)realloc(h->req_buf, n + h->req_buflen);