diff --git a/bindfs-06-fix-short-alloc.diff b/bindfs-06-fix-short-alloc.diff
new file mode 100644
index 0000000..e02d557
--- /dev/null
+++ b/bindfs-06-fix-short-alloc.diff
@@ -0,0 +1,44 @@
+parent cb9540a5b8dcc6640e39fe9cc948d385bfa82664 ()
+commit 6feab338aed1ad390ba4b0042f0490c7e317c7e3
+Author: Jan Engelhardt <jengelh@inai.de>
+Date:   Tue Jul 3 03:28:50 2012 +0200
+
+bindfs: avoid crash due to too-short allocation
+
+pathconf() can return negative values to indicate an error. Using the
+result of pathconf naïvely in arithmetic is therefore inappropriate.
+---
+ src/bindfs.c |   11 ++++++++---
+ 1 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/bindfs.c b/src/bindfs.c
+index ded13be..48b732c 100644
+--- a/src/bindfs.c
++++ b/src/bindfs.c
+@@ -54,6 +54,7 @@
+ #include <assert.h>
+ #include <pwd.h>
+ #include <grp.h>
++#include <limits.h>
+ #ifdef HAVE_SETXATTR
+ #include <sys/xattr.h>
+ #endif
+@@ -399,9 +400,13 @@ static int bindfs_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
+     struct dirent *de;
+     struct stat st;
+     int result = 0;
+-    
+-    de_buf = malloc(offsetof(struct dirent, d_name) + pathconf(path, _PC_NAME_MAX) + 1);
+-    
++    long pc_ret;
++
++    pc_ret = pathconf(path, _PC_NAME_MAX);
++    if (pc_ret < 0)
++        pc_ret = NAME_MAX; /* or scream and abort()? */
++    de_buf = malloc(offsetof(struct dirent, d_name) + pc_ret + 1);
++
+     seekdir(dp, offset);
+     while (1) {
+         result = readdir_r(dp, de_buf, &de);
+-- 
+# Created with git-export-patch
diff --git a/bindfs.changes b/bindfs.changes
index a43aafb..99f5378 100644
--- a/bindfs.changes
+++ b/bindfs.changes
@@ -4,7 +4,7 @@ Mon Jul  2 23:30:30 UTC 2012 - jengelh@inai.de
 - Update to new upstream version 1.10.4
 * A memory bug from 1.10.1, and --create-as-user and thread
   safety regressions were resolved.
-- Add patches for honoring CFLAGS and reducing memory usage.
+- Add patches for honoring CFLAGS, and to fix a crash
 
 -------------------------------------------------------------------
 Sat May  5 13:30:19 UTC 2012 - jengelh@medozas.de
diff --git a/bindfs.spec b/bindfs.spec
index b1d7511..6f29aaf 100644
--- a/bindfs.spec
+++ b/bindfs.spec
@@ -26,9 +26,11 @@ Group:          System/Filesystems
 #Git-Clone:	git://github.com/mpartel/bindfs
 #DL-URL:	http://bindfs.googlecode.com/files/bindfs-1.10.4.tar.gz
 Source:         %name-%version.tar.bz2
+# 1,2,3,6 sent upstream #2012-07-02
 Patch1:         bindfs-01-cflags.diff
 Patch2:         bindfs-02-automake.diff
 Patch3:         bindfs-03-permchain1.diff
+Patch6:         bindfs-06-fix-short-alloc.diff
 Url:            http://code.google.com/p/bindfs/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  autoconf
@@ -50,7 +52,7 @@ using various rules.
 
 %prep
 %setup -q
-%patch -P 1 -P 2 -P 3 -p1
+%patch -P 1 -P 2 -P 3 -P 6 -p1
 
 %build
 autoreconf -fi;