diff -ru modsecurity-apache_2.7.3.orig/apache2/msc_reqbody.c modsecurity-apache_2.7.3/apache2/msc_reqbody.c
--- modsecurity-apache_2.7.3.orig/apache2/msc_reqbody.c	2013-03-24 08:12:29.000000000 +0100
+++ modsecurity-apache_2.7.3/apache2/msc_reqbody.c	2013-05-28 14:48:39.063673996 +0100
@@ -170,6 +170,7 @@
 
     /* Would storing this chunk mean going over the limit? */
     if ((msr->msc_reqbody_spilltodisk)
+        && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON)
         && (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit))
     {
         msc_data_chunk **chunks;
diff -ru modsecurity-apache_2.7.3.orig/apache2/re_operators.c modsecurity-apache_2.7.3/apache2/re_operators.c
--- modsecurity-apache_2.7.3.orig/apache2/re_operators.c	2013-03-24 08:12:29.000000000 +0100
+++ modsecurity-apache_2.7.3/apache2/re_operators.c	2013-05-28 14:49:30.448696404 +0100
@@ -369,7 +369,7 @@
 /* rsub */
 
 static char *param_remove_escape(msre_rule *rule, char *str, int len)  {
-    char *parm = apr_palloc(rule->ruleset->mp, len);
+    char *parm = apr_pcalloc(rule->ruleset->mp, len);
     char *ret = parm;
 
     for(;*str!='\0';str++)    {