From 9ac97942c20b834718794b3ed43b837cf48128eb Mon Sep 17 00:00:00 2001
From: UnknownShadow200 <unknownshadow200@gmail.com>
Date: Thu, 13 Jun 2019 11:52:21 +1000
Subject: [PATCH] Fix heap overflow access in vorbis decoder with specially
 crafted ogg file, fixes #591 (Thanks khang06)

---
 src/Vorbis.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/Vorbis.c b/src/Vorbis.c
index b1a6678af..02516cb98 100644
--- a/src/Vorbis.c
+++ b/src/Vorbis.c
@@ -313,17 +313,16 @@ static ReturnCode Codebook_DecodeSetup(struct VorbisState* ctx, struct Codebook*
 		}
 	} else {
 		len = Vorbis_ReadBits(ctx, 5) + 1;
-		for (entry = 0; entry < c->Entries; entry += runLen) {
+		for (entry = 0; entry < c->Entries;) {
 			runBits = iLog(c->Entries - entry);
 			runLen  = Vorbis_ReadBits(ctx, runBits);
 
-			for (i = entry; i < entry + runLen; i++) {
-				codewordLens[i] = len;
-			}
+			/* handle corrupted ogg files */
+			if (entry + runLen > c->Entries) return VORBIS_ERR_CODEBOOK_ENTRY;
+
+			for (i = 0; i < runLen; i++) { codewordLens[entry++] = len; }
 			c->NumCodewords[len++] = runLen;
-			if (entry > c->Entries) return VORBIS_ERR_CODEBOOK_ENTRY;
 		}
-		entry = c->Entries;
 	}
 
 	c->TotalCodewords = entry;