Will Drewry of the Google Security Team reported multiple issues in OGG Vorbis and Tremor libraries, that could cause application using those libraries to crash (NULL pointer dereference or divide by zero), enter an infinite loop or cause heap overflow caused by integer overflow.
Here are the fixes according to Monty: r14604: check for / reject impossibly large codebook requests; protects against the case of overflowing a 32 bit integer and requesting a negative heap allocation. r14602: reject nonsensiscal 0-dimension codebooks. Prevents a divide by zero crash. r14598, r14600: Prevent heap overflows caused by dim=bignum and partition_codewords = partion_values^dim. partition_codewords is actually overdetermined; in the case of inconsistency, mark stream undecodable. Protects against the case of overflowing a 32 bit integer and requesting a negative heap allocation. The revisions refer to the xiph subversion repository: http://svn.xiph.org/
Monty also says we want revision 14502: "It just checked to see if the declared string lengths (vorbis comments are length coded) are longer than the actual comment packet."
All individual issues are resolved now, closing this bug as well.