I noticed stb_vorbis gets patched here faster than upstream - sources being here: https://github.com/libsdl-org/SDL_mixer/tree/main/src/codecs/stb_vorbis

I wonder if it makes sense to maintain it I'm it's own repository to make it easier to sync/track in other projects that also use stb_vorbis - like SDL_Sound. This patching is mostly done by @sezero so I am curious on their opinion.

Of course upstream holds the file in the same repository where other headers exist, possibly where the majority is either less important or unused by SDL project, so not sure on the implications.

It's not a large project, so I'm patching it where it's used and documenting the patch origins as necessary.

IMO, it shouldn't be necessary to maintain it in a dedicated repo, but @slouken and/or @icculus should decide.

I think we should take some time to fuzz stb_vorbis--because I doubt anyone has yet--apply any fixes and send them upstream, and then assume it's good enough without maintaining a fork.

I think we should take some time to fuzz stb_vorbis--because I doubt anyone has yet--apply any fixes and send them upstream, and then assume it's good enough without maintaining a fork.

At libxmp, @AliceLR fuzzed it as part of the library and many of the patches result from that, and most, if not all, of those patches are already submitted to upstream. The thing is, unfortunately, the upstream doesn't seem to be interested much. More fuzzing won't hurt, of course, for better safety of our own libraries.

To be clear, beyond the now merged cve patches, what made me open this issue was the comment here

nothings/stb#1520 (comment)

While I understand it, we have been transitioning our game engine to SDL libraries, and I am not sure how to communicate this to the users in this case - the issue that this surfaced is adventuregamestudio/ags#2250

The main issue isn't in safety though, is more I have been trying to follow up on the upstream repo and comparing both stb_vorbis in SDL_mixer and SDL_sound to see if they are indeed in sync.

I think the issue can be closed as it's understood it's not necessary to maintain a fork for the time being.

BTW, I forked stb and created a branch for stb_vorbis updates here:
https://github.com/sezero/stb/tree/stb_vorbis-sezero

I think I applied everything that's already applied in SDL_mixer,
SDL_sound, and libxmp (excluding changes specific to those libs) in
a one-thing-at-a-time manner. If there's something missing, either
in there or in SDL_mixer / SDL_sound, drop a note..

Can you move it to the libsdl-org repo? That way all of the SDL specific third party changes are in one place?

Can you move it to the libsdl-org repo? That way all of the SDL specific third party changes are in one place?

Forked my fork under libsdl-org and created a branch as stb_vorbis-sdl from my own branch

Should we close this?

Why not fork directly from upstream?

OK, deleted and re-forked from mainstream, pushed my branch to it

The fork is done here https://github.com/libsdl-org/stb/tree/stb_vorbis-sezero

Perhaps it could be set as default branch but this is a minor detail. I am closing this as it seems it's solved! Thanks