From fbfe8a23382eaf6f688bcba3704f636657e478ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
Date: Thu, 19 Oct 2023 16:53:08 +0200
Subject: [PATCH] check len+1 for overflow

---
 stb_vorbis.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/stb_vorbis.c
+++ b/stb_vorbis.c
@@ -934,6 +934,7 @@ static void *make_block_array(void *mem,
 
 static void *setup_malloc(vorb *f, int sz)
 {
+   f (sz < 0) return NULL;
    sz = (sz+7) & ~7; // round up to nearest 8 for alignment of future allocs.
    f->setup_memory_required += sz;
    if (f->alloc.alloc_buffer) {
@@ -3634,7 +3635,7 @@ static int start_decoder(vorb *f)
    if (!vorbis_validate(header))                    return error(f, VORBIS_invalid_setup);
    //file vendor
    len = get32_packet(f);
-   f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1));
+   f->vendor = (INT_MAX == len) ? NULL : (char*)setup_malloc(f, sizeof(char) * (len+1));
    if (f->vendor == NULL)                           return error(f, VORBIS_outofmem);
    for(i=0; i < len; ++i) {
       f->vendor[i] = get8_packet(f);
@@ -3651,7 +3652,7 @@ static int start_decoder(vorb *f)
 
    for(i=0; i < f->comment_list_length; ++i) {
       len = get32_packet(f);
-      f->comment_list[i] = (char*)setup_malloc(f, sizeof(char) * (len+1));
+      f->comment_list[i] = (INT_MAX == len) ? NULL : (char*)setup_malloc(f, sizeof(char) * (len+1));
       if (f->comment_list[i] == NULL) {
          f->comment_list_length = 0;
          return error(f, VORBIS_outofmem);