Pick fixes for two security vulnerabilities from upstream repository:

CVE-2017-14160: Fix bounds check on very low sample rates.
CVE-2018-10392: Sanity check number of channels in setup.

These were committed upstream two years ago, but there has been no
release since.

Reported by:	T.J. Townsend <tj@openbsd.org>
Security:	4200d5f5-b985-11ea-b08a-f8b156b6dcc8

audio/libvorbis/Makefile

@@ -3,6 +3,7 @@
 
 PORTNAME=	libvorbis
 PORTVERSION=	1.3.6
+PORTREVISION=	1
 PORTEPOCH=	3
 CATEGORIES=	audio
 MASTER_SITES=	https://downloads.xiph.org/releases/vorbis/ \

audio/libvorbis/files/patch-lib_psy.c

@@ -0,0 +1,15 @@
+CVE-2017-14160: fix bounds check on very low sample rates.
+https://gitlab.xiph.org/xiph/vorbis/-/commit/018ca26dece618457dd13585cad52941193c4a25
+--- lib/psy.c.orig	2020-06-28 19:37:27 UTC
++++ lib/psy.c
+@@ -602,8 +602,9 @@ static void bark_noise_hybridmp(int n,const long *b,
+   for (i = 0, x = 0.f;; i++, x += 1.f) {
+ 
+     lo = b[i] >> 16;
+-    if( lo>=0 ) break;
+     hi = b[i] & 0xffff;
++    if( lo>=0 ) break;
++    if( hi>=n ) break;
+ 
+     tN = N[hi] + N[-lo];
+     tX = X[hi] - X[-lo];

audio/libvorbis/files/patch-lib_vorbisenc.c

@@ -0,0 +1,12 @@
+CVE-2018-10392: Sanity check number of channels in setup.
+https://gitlab.xiph.org/xiph/vorbis/-/commit/112d3bd0aaacad51305e1464d4b381dabad0e88b
+--- lib/vorbisenc.c.orig	2020-06-28 19:38:54 UTC
++++ lib/vorbisenc.c
+@@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info *vi){
+   highlevel_encode_setup *hi=&ci->hi;
+ 
+   if(ci==NULL)return(OV_EINVAL);
++  if(vi->channels<1||vi->channels>255)return(OV_EINVAL);
+   if(!hi->impulse_block_p)i0=1;
+ 
+   /* too low/high an ATH floater is nonsensical, but doesn't break anything */