SDL_mixer: stb_vorbis: fix CVE-2023-45681 (integer overflow.) (9069d)

From 9069d66e164477bbd5ca1fd209cc14bab986ab9c Mon Sep 17 00:00:00 2001
From: Ozkan Sezer <[EMAIL REDACTED]>
Date: Mon, 11 Dec 2023 05:50:14 +0300
Subject: [PATCH] stb_vorbis: fix CVE-2023-45681 (integer overflow.)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Based on patch by Jaroslav Lobačevski (@JarLob) submitted to
mainstream at https://github.com/nothings/stb/pull/1559

GHSL-2023-171/CVE-2023-45681: Out of bounds heap buffer write

(cherry picked from commit 013c59c5effda1e991b520e514e0cb971d56917b)
---
 src/codecs/stb_vorbis/stb_vorbis.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/codecs/stb_vorbis/stb_vorbis.h b/src/codecs/stb_vorbis/stb_vorbis.h
index 03c7d102..d54b016b 100644
--- a/src/codecs/stb_vorbis/stb_vorbis.h
+++ b/src/codecs/stb_vorbis/stb_vorbis.h
@@ -3750,9 +3750,12 @@ static int start_decoder(vorb *f)
    f->comment_list = NULL;
    if (f->comment_list_length > 0)
    {
+      if (INT_MAX / sizeof(char*) < f->comment_list_length)
+          goto no_comment;
       len = sizeof(char*) * f->comment_list_length;
       f->comment_list = (char**) setup_malloc(f, len);
       if (f->comment_list == NULL) {
+         no_comment:
          f->comment_list_length = 0;
          return error(f, VORBIS_outofmem);
       }