Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
From Debian 0.15.1b-10, debian/patches/length-check.patch

Index: bit.c
--- bit.c.orig
+++ bit.c
@@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bitptr *bitptr, 
 {
   register unsigned long value;
 
+  if (len == 0)
+    return 0;
+
   if (bitptr->left == CHAR_BIT)
     bitptr->cache = *bitptr->byte;