The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (OOM) via a crafted wav file.
https://www.exploit-db.com/exploits/42399/
https://lists.debian.org/debian-lts-announce/2019/12/msg00021.html
https://lists.debian.org/debian-lts-announce/2018/04/msg00033.html