integer overflow leads to out-of-bounds read in print_comments(char *comments, int length)

Hi， recently I fuzzed speex-1.2.0 with afl，and found a crash: root@host-10-0-0-25:/home/ubuntu/speex/test/speex-1.2.0# src/speexdec fuzzout/crashes/id:000000,sig:06,src:000001,op:flip2,pos:168 dddd.wav 2>redirect_stderr

1. The original normal speex file is:all_normal.spx
2. The invalid speex file generated by afl is:id_000000_sig_06_src_000001_op_flip2_pos_168
3. And the stderr is:redirect_stderr

later I analyzed the crash, and found there is a integer overflow in function print_comments():

Breakpoint 9, print_comments ( comments=0xf6000200 "=r\230\023\361\063~\375\234Y\220}\r\035\221q5\027\241\026", <incomplete sequence \331>, length=0x3e) at speexdec.c:107 107 c+=4;

gdb-peda$ print len $105 = 0x1398723d

gdb-peda$ print end $106 = 0xf600023e

Obviously,c=comments+4,c+len<end, and bypass the length check at line 108 in speexdec.c,then leads to out-of-bounds read at line 113 in speexdec.c.