diff --git a/cve-2016-9957.patch b/cve-2016-9957.patch
new file mode 100644
index 0000000..1b1ba38
--- /dev/null
+++ b/cve-2016-9957.patch
@@ -0,0 +1,51 @@
+ diff -rubB gme-old/Spc_Cpu.h gme/Spc_Cpu.h
+Index: game-music-emu-0.6.0/gme/Spc_Cpu.h
+===================================================================
+--- game-music-emu-0.6.0.orig/gme/Spc_Cpu.h	2016-12-16 12:06:53.981779435 +0100
++++ game-music-emu-0.6.0/gme/Spc_Cpu.h	2016-12-16 12:09:35.995506135 +0100
+@@ -76,8 +76,8 @@ Inc., 51 Franklin Street, Fifth Floor, B
+ // TODO: remove non-wrapping versions?
+ #define SPC_NO_SP_WRAPAROUND 0
+ 
+-#define SET_SP( v )     (sp = ram + 0x101 + (v))
+-#define GET_SP()        (sp - 0x101 - ram)
++#define SET_SP( v )     (sp = ram + 0x101 + ((uint8_t) v))
++#define GET_SP()        (uint8_t) (sp - 0x101 - ram)
+ 
+ #if SPC_NO_SP_WRAPAROUND
+ #define PUSH16( v )     (sp -= 2, SET_LE16( sp, v ))
+@@ -485,7 +485,7 @@ loop:
+ 	
+ 	case 0xAF: // MOV (X)+,A
+ 		WRITE_DP( 0, x, a + no_read_before_write  );
+-		x++;
++		x = (uint8_t) (x + 1);
+ 		goto loop;
+ 	
+ // 5. 8-BIT LOGIC OPERATION COMMANDS
+@@ -808,7 +808,7 @@ loop:
+ 		unsigned temp = y * a;
+ 		a = (uint8_t) temp;
+ 		nz = ((temp >> 1) | temp) & 0x7F;
+-		y = temp >> 8;
++		y = (uint8_t) (temp >> 8);
+ 		nz |= y;
+ 		goto loop;
+ 	}
+@@ -838,6 +838,7 @@ loop:
+ 		
+ 		nz = (uint8_t) a;
+ 		a = (uint8_t) a;
++		y = (uint8_t) y;
+ 		
+ 		goto loop;
+ 	}
+@@ -1004,7 +1005,7 @@ loop:
+ 	case 0x7F: // RET1
+ 		temp = *sp;
+ 		SET_PC( GET_LE16( sp + 1 ) );
+-		sp += 3;
++		SET_SP(GET_SP() + 3);
+ 		goto set_psw;
+ 	case 0x8E: // POP PSW
+ 		POP( temp );
diff --git a/libgme.changes b/libgme.changes
index c51bc45..13fdaa0 100644
--- a/libgme.changes
+++ b/libgme.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Dec 16 11:16:04 UTC 2016 - psimons@suse.com
+
+- Apply "cve-2016-9957.patch" to fix an arbitrary code execution
+  vulnerability that could have been exploited using specially
+  crafted SPC music files. [CVE-2016-9957, CVE-2016-9958,
+  CVE-2016-9959, CVE-2016-9960, CVE-2016-9961, bsc#1015941]
+
 -------------------------------------------------------------------
 Wed Dec 23 13:09:47 UTC 2015 - mpluskal@suse.com
 
diff --git a/libgme.spec b/libgme.spec
index c830bc2..ee020b0 100644
--- a/libgme.spec
+++ b/libgme.spec
@@ -28,6 +28,7 @@ Source0:        https://bitbucket.org/mpyne/game-music-emu/downloads/game-music-
 Source1:        baselibs.conf
 # PATCH-FIX-UPSTREAM libgme-0.6.0-pkgconfig_path.patch http://code.google.com/p/game-music-emu/issues/detail?id=19 reddwarf@opensuse.org -- Fix .pc installation path
 Patch0:         libgme-0.6.0-pkgconfig_path.patch
+Patch1:         cve-2016-9957.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 BuildRequires:  pkg-config
@@ -75,6 +76,7 @@ which use libgme.
 %prep
 %setup -q -n game-music-emu-%{version}
 %patch0
+%patch1 -p1
 sed -i 's/\r$//' changes.txt design.txt gme.txt license.txt readme.txt
 
 %build