libvorbis/r14502.patch

Index: lib/info.c
===================================================================
--- lib/info.c	(revision 14501)
+++ lib/info.c	(revision 14502)
@@ -236,17 +236,21 @@
   int i;
   int vendorlen=oggpack_read(opb,32);
   if(vendorlen<0)goto err_out;
+  if(vendorlen+8>opb->storage)goto err_out;
   vc->vendor=_ogg_calloc(vendorlen+1,1);
   _v_readstring(opb,vc->vendor,vendorlen);
-  vc->comments=oggpack_read(opb,32);
-  if(vc->comments<0)goto err_out;
+  i=oggpack_read(opb,32);
+  if(i<0)goto err_out;
+  if(4*i+oggpack_bytes(opb)>opb->storage)goto err_out;
+  vc->comments=i;
   vc->user_comments=_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments));
   vc->comment_lengths=_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths));
 	    
   for(i=0;i<vc->comments;i++){
     int len=oggpack_read(opb,32);
     if(len<0)goto err_out;
-	vc->comment_lengths[i]=len;
+    if(len+oggpack_bytes(opb)>opb->storage)goto err_out;
+    vc->comment_lengths[i]=len;
     vc->user_comments[i]=_ogg_calloc(len+1,1);
     _v_readstring(opb,vc->user_comments[i],len);
   }