--- libmpdemux/demux_audio.c	(revision 24724)
+++ libmpdemux/demux_audio.c	(working copy)
@@ -229,6 +229,8 @@
           ptr += 4;
 
           comment = ptr;
+          if (&comment[length] < comments || &comment[length] >= &comments[blk_len])
+            return;
           c = comment[length];
           comment[length] = 0;