[Vorbis] vorbis 1.3.7 release

Ralph Giles giles at thaumas.net
Sat Jul 4 19:09:37 UTC 2020

I've pleased to announce the release of libvorbis 1.3.7.

The libvorbis package is the reference implementation for the Vorbis
lossy audio codec, the underlying techology of the ogg file format.

This new release fixes a number of issues, including potential crashes.
We recommend all users upgrade.

Source packages are available from the download site and mirrors:


Changes since the previous 1.3.6 release:

- Fix CVE-2018-10393 and CVE-2017-14160 out-of-bounds read
  encoding very low sample rates.
- Fix handling invalid bytes per sample arguments.
- Fix handling invalid channel count arguments.
- Fix invalid free on seek failure.
- Fix negative shift reading blocksize.
- Fix accepting unreasonable float32 values.
- Fix tag comparison depending on locale.
- Fix unnecessarily linking libm.
- Fix memory leak in test_sharedbook.
- Update Visual Studio projects for ogg library filename change.
- Distribute CMake build files with the source package.
- Remove unnecessary configure --target switch.
- Add gitlab CI support.
- Add OSS-Fuzz support.
- Build system and integration updates.

The encoder signature is updated, and now reads:

  Xiph.Org libVorbis I 20200704 (Reducing Environment)

Source package SHA-256 checksums:

b33cc4934322bcbf6efcbacf49e3ca01aadbea4114ec9589d1b1e9d20f72954b  libvo
0e982409a9c3fc82ee06e08205b1355e5c6aa4c36bca58146ef399621b0ce5ab  libvo
57c8bc92d2741934b8dc939af49c2639edc44b8879cba2ec14ad3189e2814582  libvo

Thanks to everyone who contributed!

Ralph Giles
Xiph.Org Foundation for Open Multimedia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 858 bytes
Desc: This is a digitally signed message part
URL: <http://lists.xiph.org/pipermail/vorbis/attachments/20200704/359df969/attachment.sig>

More information about the Vorbis mailing list