CVE-2024-50612: libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read.

The vulnerability CVE-2024-50612 is an out-of-bounds read in the vorbis_analysis_wrote function, which is part of the external libvorbis library. However, the vulnerability is triggered by libsndfile's usage of this function, specifically within src/ogg_vorbis.c. The analysis of the provided commit 274198fd95152b412ada49be059258ec0efca272 (which fixes issue #1035, related to this CVE) shows modifications in two key functions:

1. vorbis_close: The crash log from the issue report explicitly shows vorbis_close calling vorbis_analysis_wrote at line 417, leading to the crash. The patch removes the direct call vorbis_analysis_wrote(&vdata->vdsp, 0) from this function. This indicates that vorbis_close was directly responsible for making the problematic call that triggered the out-of-bounds read.
2. vorbis_write_samples: This function also calls vorbis_analysis_wrote. The patch modifies it to check the return value of vorbis_analysis_wrote and propagate errors. In the patched code, vorbis_close now calls vorbis_write_samples(..., 0) to handle the end-of-stream signaling. This means that prior to the patch, if vorbis_write_samples was called with in_frames = 0, it would have also triggered the vulnerability due to the unchecked call to vorbis_analysis_wrote. Both functions are in src/ogg_vorbis.c and were modified to prevent the conditions leading to the out-of-bounds read in the external library. Therefore, they are identified as the vulnerable functions within libsndfile as they were the entry points for the problematic interaction with libvorbis.