From 3d81432a1e90e46a436b8a1e98cdcb6f0d6a4e1b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 13 Sep 2013 15:05:17 -0500
Subject: [PATCH] Fix out-of-bounds memory accesses.

And remove a variable-length-array usage.
---
 src/analyzer/protocol/pop3/POP3.cc | 6 ++++--
 src/input/Manager.cc               | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc
index 652fd20e32..ccbbb8df04 100644
--- a/src/analyzer/protocol/pop3/POP3.cc
+++ b/src/analyzer/protocol/pop3/POP3.cc
@@ -80,7 +80,7 @@ void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 static string trim_whitespace(const char* in)
 	{
 	int n = strlen(in);
-	char out[n];
+	char* out = new char[n + 1];
 	char* out_p = out;
 
 	in = skip_whitespace(in);
@@ -112,7 +112,9 @@ static string trim_whitespace(const char* in)
 
 	*out_p = 0;
 
-	return string(out);
+	string rval(out);
+	delete [] out;
+	return rval;
 	}
 
 void POP3_Analyzer::ProcessRequest(int length, const char* line)
diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index 94c025a459..d838e8cb75 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -2045,7 +2045,7 @@ int Manager::CopyValue(char *data, const int startpos, const Value* val)
 		case IPv6:
 			length = sizeof(val->val.addr_val.in.in6);
 			memcpy(data + startpos,
-			       (const char*) &(val->val.subnet_val.prefix.in.in4), length);
+			       (const char*) &(val->val.subnet_val.prefix.in.in6), length);
 			break;
 
 		default: