This patch is from upstream:
https://github.com/milkytracker/MilkyTracker/commit/fd607a3439fcdd0992e5efded3c16fc79c804e34

commit fd607a3439fcdd0992e5efded3c16fc79c804e34
Author: Christopher O'Neill <code@chrisoneill.co.uk>
Date:   Tue Jul 30 19:11:58 2019 +0100

    Fix #184: Heap overflow in S3M loader

diff --git a/src/milkyplay/LoaderS3M.cpp b/src/milkyplay/LoaderS3M.cpp
index 5abf211..edf0fd5 100644
--- a/src/milkyplay/LoaderS3M.cpp
+++ b/src/milkyplay/LoaderS3M.cpp
@@ -340,7 +340,11 @@ mp_sint32 LoaderS3M::load(XMFileBase& f, XModule* module)
 		return MP_OUT_OF_MEMORY;
 	
 	header->insnum = f.readWord(); // number of instruments
-	header->patnum = f.readWord(); // number of patterns	
+	if (header->insnum > MP_MAXINS)
+		return MP_LOADER_FAILED;
+	header->patnum = f.readWord(); // number of patterns
+	if (header->patnum > 256)
+		return MP_LOADER_FAILED;
 	
 	mp_sint32 flags = f.readWord(); // st3 flags