Revew and "merge" mozilla patches against libvorbis.
Mozilla is still shipping two small patches against the current libvorbis for more aggressive bad data handling.
These are public patches included in the Firefox 3.6 source distribution. These really should be handled prior to the next libvorbis release.
BZ487519 looks pretty much directly apply-able, BZ498855 needs cleanup to get the conditionals out of the initilizers.
Both could probably use some review to ensure that there aren't nearby failure modes that the patches are not addressing.