SDL_mixer: stb_vorbis: fix CVE-2023-45679 and CVE-2023-45680. (58274)

From 58274612c0161fe378aafe2d40a2ad8adb8f65d3 Mon Sep 17 00:00:00 2001
From: Ozkan Sezer <[EMAIL REDACTED]>
Date: Mon, 11 Dec 2023 05:50:10 +0300
Subject: [PATCH] stb_vorbis: fix CVE-2023-45679 and CVE-2023-45680.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Based on the patches by Jaroslav Lobačevski (@JarLob) submitted
to mainstream at: https://github.com/nothings/stb/pull/1557 and
https://github.com/nothings/stb/pull/1558

GHSL-2023-169/CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
GHSL-2023-170/CVE-2023-45680: Null pointer dereference in vorbis_deinit()

(cherry picked from commit 4361f572dac8dc390a991cec2e5b96324c8b186d)
---
 src/codecs/stb_vorbis/stb_vorbis.h | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/codecs/stb_vorbis/stb_vorbis.h b/src/codecs/stb_vorbis/stb_vorbis.h
index 07a518ac..03c7d102 100644
--- a/src/codecs/stb_vorbis/stb_vorbis.h
+++ b/src/codecs/stb_vorbis/stb_vorbis.h
@@ -3750,8 +3750,13 @@ static int start_decoder(vorb *f)
    f->comment_list = NULL;
    if (f->comment_list_length > 0)
    {
-      f->comment_list = (char**) setup_malloc(f, sizeof(char*) * (f->comment_list_length));
-      if (f->comment_list == NULL)                  return error(f, VORBIS_outofmem);
+      len = sizeof(char*) * f->comment_list_length;
+      f->comment_list = (char**) setup_malloc(f, len);
+      if (f->comment_list == NULL) {
+         f->comment_list_length = 0;
+         return error(f, VORBIS_outofmem);
+      }
+      memset(f->comment_list, 0, len);
    }
 
    for(i=0; i < f->comment_list_length; ++i) {