diff --git a/vlc-CVE-2015-5949.patch b/vlc-CVE-2015-5949.patch
new file mode 100644
index 0000000..1040bd1
--- /dev/null
+++ b/vlc-CVE-2015-5949.patch
@@ -0,0 +1,30 @@
+From ce91452460a75d7424b165c4dc8db98114c3cbd9 Mon Sep 17 00:00:00 2001
+From: Francois Cartegnie <fcartegnie@free.fr>
+Date: Mon, 3 Aug 2015 15:17:32 +0200
+Subject: [PATCH 1/1] demux: mp4: correctly match release function
+
+Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
+---
+ modules/demux/mp4/libmp4.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
+index 331262b..f220e51 100644
+--- a/modules/demux/mp4/libmp4.c
++++ b/modules/demux/mp4/libmp4.c
+@@ -3643,6 +3643,11 @@ void MP4_BoxFree( stream_t *s, MP4_Box_t *p_box )
+     {
+         for( i_index = 0; ; i_index++ )
+         {
++            if ( MP4_Box_Function[i_index].i_parent &&
++                 p_box->p_father &&
++                 p_box->p_father->i_type != MP4_Box_Function[i_index].i_parent )
++                continue;
++
+             if( ( MP4_Box_Function[i_index].i_type == p_box->i_type )||
+                 ( MP4_Box_Function[i_index].i_type == 0 ) )
+             {
+-- 
+1.7.10.4
+
+
diff --git a/vlc.changes b/vlc.changes
index bfce806..4a04f88 100644
--- a/vlc.changes
+++ b/vlc.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Feb  5 09:07:03 UTC 2016 - dimstar@opensuse.org
+
+- Add vlc-CVE-2015-5949.patch: demux: mp4: correctly match release
+  function (boo#965227, CVE-2015-5949).
+
 -------------------------------------------------------------------
 Mon Jan  4 08:50:53 UTC 2016 - ctrippe@opensuse.org
 
diff --git a/vlc.spec b/vlc.spec
index 30f364a..3b9d7d3 100644
--- a/vlc.spec
+++ b/vlc.spec
@@ -47,6 +47,8 @@ Patch1:         vlc-2.1.5-fix-skins2-default-skin-creation.patch
 Patch2:         vlc-qt5.5-mousepointer.patch
 Patch3:         0001-no-return-in-non-void.patch
 Patch4:         vlc-2.2.0-fix_deinterlace_mmx.patch
+# PATCH-FIX-UPSTREAM vlc-CVE-2015-5949.patch boo#965227 CVE-2015-5949 dimstar@opensuse.org -- demux: mp4: correctly match release function
+Patch5:         vlc-CVE-2015-5949.patch
 BuildRequires:  Mesa-devel
 BuildRequires:  SDL-devel >= 1.2.10
 BuildRequires:  aalib-devel
@@ -313,6 +315,7 @@ date
 %patch4
 %endif
 %endif
+%patch5 -p1
 
 ### Fix up sources for LUA 5.3
 if pkg-config --atleast-version 5.3 lua; then