CVE-2023-45677: 
Linux Debian vulnerability analysis and mitigation

stbvorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in f->vendor[len] = (char)'\0';. The vulnerability was discovered in October 2023 and assigned CVE-2023-45677. The affected component is stbvorbis version 1.22 (NVD).

The root cause is that if len read in start_decoder is a negative number and setup_malloc successfully allocates memory in that case, but memory write is done with a negative index len. Similarly if len is INTMAX the integer overflow len+1 happens in f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1)); and `f->commentlist[i] = (char)setup_malloc(f, sizeof(char) (len+1));`. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 HIGH (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) by NVD (NVD).

This vulnerability can lead to code execution through heap buffer overflow. The out-of-bounds write can potentially allow an attacker to execute arbitrary code by corrupting heap memory (GitHub Security Lab).

The vulnerability affects version 1.22 of stb_vorbis. Users should update to a patched version when available. In the meantime, input validation should be implemented to check for negative length values and integer overflow conditions before processing ogg vorbis files (Debian Security Tracker).