The clamp on the effective number of dimensions to decode in codebook_decode_deinterleave_repeat is trivially broken. libFuzzer managed to find some inputs that exploit this to increase the number of dimensions to be read past the end of the multiplicands array.
The clamp on the effective number of dimensions to decode in
codebook_decode_deinterleave_repeat
is trivially broken. libFuzzer managed to find some inputs that exploit this to increase the number of dimensions to be read past the end of the multiplicands array.3 reproducing inputs, log, and tester source code: vorbis_codebook_effective_dimensions.tar.gz