Hi， recently I fuzzed speex-1.2.0 with afl，and found a crash: root@host-10-0-0-25:/home/ubuntu/speex/test/speex-1.2.0# src/speexdec fuzzout/crashes/id:000000,sig:06,src:000001,op:flip2,pos:168 dddd.wav 2>redirect_stderr 1. The original normal speex file is:[all_normal.spx](/uploads/95cfb92204df8079a4557dd4a4cde109/all_normal.spx) 1. The invalid speex file generated by afl is:[id_000000_sig_06_src_000001_op_flip2_pos_168](/uploads/3a854323ea911329d17ae84dc8bfc7e0/id_000000_sig_06_src_000001_op_flip2_pos_168) 1. And the stderr is:[redirect_stderr](/uploads/3fc6e869a76e21c734b11928010ae313/redirect_stderr) later I analyzed the crash, and found there is a integer overflow in function print_comments(): Breakpoint 9, print_comments ( comments=0xf6000200 "=r\230\023\361\063~\375\234Y\220}\r\035\221q5\027\241\026", <incomplete sequence \331>, length=0x3e) at speexdec.c:107 107 c+=4; gdb-peda$ print len $105 = 0x1398723d gdb-peda$ print end $106 = 0xf600023e Obviously,c=comments+4,c+len<end, and bypass the length check at line 108 in speexdec.c,then leads to out-of-bounds read at line 113 in speexdec.c.