gecko/media/libvorbis/bug498827.patch

diff --git a/media/libvorbis/lib/vorbis_info.c b/media/libvorbis/lib/vorbis_info.c
index 5a9d209..1d50526 100644
--- a/media/libvorbis/lib/vorbis_info.c
+++ b/media/libvorbis/lib/vorbis_info.c
@@ -16,16 +16,17 @@
  ********************************************************************/
 
 /* general handling of the header and the vorbis_info structure (and
    substructures) */
 
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
+#include <limits.h>
 #include <ogg/ogg.h>
 #include "vorbis/codec.h"
 #include "codec_internal.h"
 #include "codebook.h"
 #include "registry.h"
 #include "window.h"
 #include "psy.h"
 #include "misc.h"
@@ -230,27 +231,27 @@ static int _vorbis_unpack_info(vorbis_info *vi,oggpack_buffer *opb){
  err_out:
   vorbis_info_clear(vi);
   return(OV_EBADHEADER);
 }
 
 static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){
   int i;
   int vendorlen=oggpack_read(opb,32);
-  if(vendorlen<0)goto err_out;
+  if(vendorlen<0||vendorlen>opb->storage)goto err_out;
   vc->vendor=_ogg_calloc(vendorlen+1,1);
   _v_readstring(opb,vc->vendor,vendorlen);
   vc->comments=oggpack_read(opb,32);
-  if(vc->comments<0)goto err_out;
+  if(vc->comments<0||vc->comments>(LONG_MAX>>2)||vc->comments<<2>opb->storage)goto err_out;
   vc->user_comments=_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments));
   vc->comment_lengths=_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths));
 	    
   for(i=0;i<vc->comments;i++){
     int len=oggpack_read(opb,32);
-    if(len<0)goto err_out;
+    if(len<0||len>opb->storage)goto err_out;
 	vc->comment_lengths[i]=len;
     vc->user_comments[i]=_ogg_calloc(len+1,1);
     _v_readstring(opb,vc->user_comments[i],len);
   }	  
   if(oggpack_read(opb,1)!=1)goto err_out; /* EOP check */
 
   return(0);
  err_out: