security: limit RTSP content-length and check allocation in RAOP client

Input Validation / Memory Safety: Medium

The RTSP client used for RAOP/AirPlay communication accepted arbitrarily
large Content-Length values from the remote server without any upper
bound. A malicious or compromised AirPlay server could specify a very
large Content-Length, causing the client to allocate unbounded memory
and potentially exhaust system resources (denial of service).

Additionally, the return value of pw_array_add() was not checked. If
the allocation failed, the subsequent memcpy would dereference a NULL
pointer, causing a crash.

Add a 64KB limit on Content-Length (more than sufficient for RTSP
control messages) and check the pw_array_add return value.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/modules/module-raop/rtsp-client.c

@@ -322,6 +322,11 @@ static int process_header(struct pw_rtsp_client *client, char *buf)
 			pw_log_debug(" %s: %s", it->key, it->value);
 
 		client->content_length = pw_properties_get_uint32(client->headers, "Content-Length", 0);
+		if (client->content_length > 64 * 1024) {
+			pw_log_error("Content-Length %zu exceeds maximum",
+					client->content_length);
+			return -EOVERFLOW;
+		}
 		if (client->content_length > 0)
 			client->recv_state = CLIENT_RECV_CONTENT;
 		else
@@ -351,6 +356,8 @@ static int process_content(struct pw_rtsp_client *client)
 		}
 
 		void *p = pw_array_add(&client->content, res);
+		if (p == NULL)
+			return -ENOMEM;
 		memcpy(p, buf, res);
 
 		spa_assert((size_t) res <= client->content_length);