Vorbis: Check comment counts before allocation

Author: Serial-ATA

CHANGELOG.md

@@ -31,7 +31,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - **WAV**:
     - Fix panic when reading properties with large written bytes per second ([issue](https://github.com/Serial-ATA/lofty-rs/issues/420))
     - Fix panic when reading an improperly sized INFO LIST ([issue](https://github.com/Serial-ATA/lofty-rs/issues/427))
-  - **Vorbis**: Fix panic when reading properties of a file with large absolute granule positions ([issue](https://github.com/Serial-ATA/lofty-rs/issues/421))
+  - **Vorbis**:
+    - Fix panic when reading properties of a file with large absolute granule positions ([issue](https://github.com/Serial-ATA/lofty-rs/issues/421))
+    - Fix attempted large allocations with invalid comment counts ([issue](https://github.com/Serial-ATA/lofty-rs/issues/419))
   - **FLAC**: Fix panic when reading properties of a file with incorrect block sizes ([issue](https://github.com/Serial-ATA/lofty-rs/issues/422))
   - **AIFF**: Fix panic when reading properties of a file with invalid f80 sample rate ([issue](https://github.com/Serial-ATA/lofty-rs/issues/424))
 

lofty/src/ogg/read.rs

@@ -75,6 +75,9 @@ where
 	};
 
 	let number_of_items = data.read_u32::<LittleEndian>()?;
+	if number_of_items > (len >> 2) as u32 {
+		err!(SizeMismatch);
+	}
 
 	let mut tag = VorbisComments {
 		vendor,

lofty/tests/fuzz/assets/vorbisfile_read_from/move01d_IDX_13_RAND_35154275996070165946691.ogg

@@ -8,6 +8,13 @@ fn oom1() {
 	oom_test::<VorbisFile>("vorbisfile_read_from/oom-436193bc2d1664b74c19720bef08697d03284f06");
 }
 
+#[test]
+fn large_allocation() {
+	let mut reader =
+		crate::get_reader("vorbisfile_read_from/move01d_IDX_13_RAND_35154275996070165946691.ogg");
+	let _ = VorbisFile::read_from(&mut reader, ParseOptions::new());
+}
+
 #[test]
 fn panic1() {
 	let mut reader =