I experience this issue with a simple sox_read/sox_write loop with libsox.
"write_samples" in flac.c doesn't check if "len" is greater than the size of the allocated buffer "decoded_samples." If so, a buffer overrun can occur. "decoded_samples" is set to sox_globals.bufsiz, so any call to sox_write with a length of more than sox_globals.bufsize will overrun the buffer.
I've attached a not-very-well tested potential patch that clamps the input length to the size of the buffer.