The reference speex decoder from the Speex library performs insufficient boundary checks on a header structure read from user input, this has been reported in oCERT-2008-002 advisory. Further investigation showed that several packages include similar code and are therefore vulnerable.
92ed6546867cd33c0088b7bc15e55f53e67e063a9ac84ec56cc42ae501ff00f3