# Stolen from Mozilla, with minor adjustments.
# Author: Timothy B. Terriberry <tterribe@vt.edu>

diff --git a/media/libvorbis/lib/floor1.c b/media/libvorbis/lib/floor1.c
--- a/media/libvorbis/lib/floor1.c
+++ b/media/libvorbis/lib/floor1.c
@@ -162,16 +162,17 @@ static vorbis_info_floor *floor1_unpack 
 
   /* read the post list */
   info->mult=oggpack_read(opb,2)+1;     /* only 1,2,3,4 legal now */
   rangebits=oggpack_read(opb,4);
   if(rangebits<0)goto err_out;
 
   for(j=0,k=0;j<info->partitions;j++){
     count+=info->class_dim[info->partitionclass[j]];
+    if(count>VIF_POSIT) goto err_out;
     for(;k<count;k++){
       int t=info->postlist[k+2]=oggpack_read(opb,rangebits);
       if(t<0 || t>=(1<<rangebits))
         goto err_out;
     }
   }
   info->postlist[0]=0;
   info->postlist[1]=1<<rangebits;