Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
From Debian 0.15.1b-10, debian/patches/length-check.patch

Index: layer12.c
--- layer12.c.orig
+++ layer12.c
@@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = {
  * DESCRIPTION:	decode one requantized Layer I sample from a bitstream
  */
 static
-mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb)
+mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream)
 {
   mad_fixed_t sample;
+  struct mad_bitptr frameend_ptr;
 
+  mad_bit_init(&frameend_ptr, stream->next_frame);
+
+  if (mad_bit_length(ptr, &frameend_ptr) < nb) {
+    stream->error = MAD_ERROR_LOSTSYNC;
+    stream->sync = 0;
+    return 0;
+  }
   sample = mad_bit_read(ptr, nb);
 
   /* invert most significant bit, extend sign, then scale to fixed format */
@@ -106,7 +114,11 @@ int mad_layer_I(struct mad_stream *stream, struct mad_
   struct mad_header *header = &frame->header;
   unsigned int nch, bound, ch, s, sb, nb;
   unsigned char allocation[2][32], scalefactor[2][32];
+  struct mad_bitptr bufend_ptr, frameend_ptr;
 
+  mad_bit_init(&bufend_ptr, stream->bufend);
+  mad_bit_init(&frameend_ptr, stream->next_frame);
+
   nch = MAD_NCHANNELS(header);
 
   bound = 32;
@@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *stream, struct mad_
   /* check CRC word */
 
   if (header->flags & MAD_FLAG_PROTECTION) {
+    if (mad_bit_length(&stream->ptr, &bufend_ptr)
+		< 4 * (bound * nch + (32 - bound))) {
+      stream->error = MAD_ERROR_BADCRC;
+      return -1;
+    }
     header->crc_check =
       mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)),
 		  header->crc_check);
@@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *stream, struct mad_
 
   for (sb = 0; sb < bound; ++sb) {
     for (ch = 0; ch < nch; ++ch) {
+      if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
+	stream->error = MAD_ERROR_LOSTSYNC;
+	stream->sync = 0;
+	return -1;
+      }
       nb = mad_bit_read(&stream->ptr, 4);
 
       if (nb == 15) {
@@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *stream, struct mad_
   }
 
   for (sb = bound; sb < 32; ++sb) {
+    if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
+      stream->error = MAD_ERROR_LOSTSYNC;
+      stream->sync = 0;
+      return -1;
+    }
     nb = mad_bit_read(&stream->ptr, 4);
 
     if (nb == 15) {
@@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *stream, struct mad_
   for (sb = 0; sb < 32; ++sb) {
     for (ch = 0; ch < nch; ++ch) {
       if (allocation[ch][sb]) {
+        if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
+	  stream->error = MAD_ERROR_LOSTSYNC;
+	  stream->sync = 0;
+	  return -1;
+	}
 	scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
 
 # if defined(OPT_STRICT)
@@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *stream, struct mad_
       for (ch = 0; ch < nch; ++ch) {
 	nb = allocation[ch][sb];
 	frame->sbsample[ch][s][sb] = nb ?
-	  mad_f_mul(I_sample(&stream->ptr, nb),
+	  mad_f_mul(I_sample(&stream->ptr, nb, stream),
 		    sf_table[scalefactor[ch][sb]]) : 0;
+	if (stream->error != 0)
+	  return -1;
       }
     }
 
@@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *stream, struct mad_
       if ((nb = allocation[0][sb])) {
 	mad_fixed_t sample;
 
-	sample = I_sample(&stream->ptr, nb);
+	if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) {
+	  stream->error = MAD_ERROR_LOSTSYNC;
+	  stream->sync = 0;
+          return -1;
+	}
+	sample = I_sample(&stream->ptr, nb, stream);
+        if (stream->error != 0)
+	  return -1;
 
 	for (ch = 0; ch < nch; ++ch) {
 	  frame->sbsample[ch][s][sb] =
@@ -280,13 +321,21 @@ struct quantclass {
 static
 void II_samples(struct mad_bitptr *ptr,
 		struct quantclass const *quantclass,
-		mad_fixed_t output[3])
+		mad_fixed_t output[3], struct mad_stream *stream)
 {
   unsigned int nb, s, sample[3];
+  struct mad_bitptr frameend_ptr;
 
+  mad_bit_init(&frameend_ptr, stream->next_frame);
+
   if ((nb = quantclass->group)) {
     unsigned int c, nlevels;
 
+    if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) {
+      stream->error = MAD_ERROR_LOSTSYNC;
+      stream->sync = 0;
+      return;
+    }
     /* degrouping */
     c = mad_bit_read(ptr, quantclass->bits);
     nlevels = quantclass->nlevels;
@@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr,
   else {
     nb = quantclass->bits;
 
-    for (s = 0; s < 3; ++s)
+    for (s = 0; s < 3; ++s) {
+      if (mad_bit_length(ptr, &frameend_ptr) < nb) {
+	stream->error = MAD_ERROR_LOSTSYNC;
+	stream->sync = 0;
+	return;
+      }
       sample[s] = mad_bit_read(ptr, nb);
+    }
   }
 
   for (s = 0; s < 3; ++s) {
@@ -336,7 +391,10 @@ int mad_layer_II(struct mad_stream *stream, struct mad
   unsigned char const *offsets;
   unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3];
   mad_fixed_t samples[3];
+  struct mad_bitptr frameend_ptr;
 
+  mad_bit_init(&frameend_ptr, stream->next_frame);
+
   nch = MAD_NCHANNELS(header);
 
   if (header->flags & MAD_FLAG_LSF_EXT)
@@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stream, struct mad
   for (sb = 0; sb < bound; ++sb) {
     nbal = bitalloc_table[offsets[sb]].nbal;
 
-    for (ch = 0; ch < nch; ++ch)
+    for (ch = 0; ch < nch; ++ch) {
+      if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
+	stream->error = MAD_ERROR_LOSTSYNC;
+	stream->sync = 0;
+	return -1;
+      }
       allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
+    }
   }
 
   for (sb = bound; sb < sblimit; ++sb) {
     nbal = bitalloc_table[offsets[sb]].nbal;
 
+    if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
+      stream->error = MAD_ERROR_LOSTSYNC;
+      stream->sync = 0;
+      return -1;
+    }
     allocation[0][sb] =
     allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
   }
@@ -417,8 +486,14 @@ int mad_layer_II(struct mad_stream *stream, struct mad
 
   for (sb = 0; sb < sblimit; ++sb) {
     for (ch = 0; ch < nch; ++ch) {
-      if (allocation[ch][sb])
+      if (allocation[ch][sb]) {
+	if (mad_bit_length(&stream->ptr, &frameend_ptr) < 2) {
+	  stream->error = MAD_ERROR_LOSTSYNC;
+	  stream->sync = 0;
+	  return -1;
+	}
 	scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
+      }
     }
   }
 
@@ -441,6 +516,11 @@ int mad_layer_II(struct mad_stream *stream, struct mad
   for (sb = 0; sb < sblimit; ++sb) {
     for (ch = 0; ch < nch; ++ch) {
       if (allocation[ch][sb]) {
+	if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
+	  stream->error = MAD_ERROR_LOSTSYNC;
+	  stream->sync = 0;
+	  return -1;
+	}
 	scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
 
 	switch (scfsi[ch][sb]) {
@@ -451,11 +531,21 @@ int mad_layer_II(struct mad_stream *stream, struct mad
 	  break;
 
 	case 0:
+	  if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
+	    stream->error = MAD_ERROR_LOSTSYNC;
+	    stream->sync = 0;
+	    return -1;
+	  }
 	  scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
 	  /* fall through */
 
 	case 1:
 	case 3:
+	  if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
+	    stream->error = MAD_ERROR_LOSTSYNC;
+	    stream->sync = 0;
+	    return -1;
+	  }
 	  scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
 	}
 
@@ -487,7 +577,9 @@ int mad_layer_II(struct mad_stream *stream, struct mad
 	if ((index = allocation[ch][sb])) {
 	  index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
 
-	  II_samples(&stream->ptr, &qc_table[index], samples);
+	  II_samples(&stream->ptr, &qc_table[index], samples, stream);
+	  if (stream->error != 0)
+            return -1;
 
 	  for (s = 0; s < 3; ++s) {
 	    frame->sbsample[ch][3 * gr + s][sb] =
@@ -505,7 +597,9 @@ int mad_layer_II(struct mad_stream *stream, struct mad
       if ((index = allocation[0][sb])) {
 	index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
 
-	II_samples(&stream->ptr, &qc_table[index], samples);
+	II_samples(&stream->ptr, &qc_table[index], samples, stream);
+	if (stream->error != 0)
+          return -1;
 
 	for (ch = 0; ch < nch; ++ch) {
 	  for (s = 0; s < 3; ++s) {
