diff --git a/CVE-2018-6187.patch b/CVE-2018-6187.patch
new file mode 100644
index 0000000..b0db024
--- /dev/null
+++ b/CVE-2018-6187.patch
@@ -0,0 +1,63 @@
+X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=source%2Fpdf%2Fpdf-write.c;h=bc67f003025516c04991758ea648f79d00926742;hp=a7326a173a09df3fd4e3adbf3e1842081b6dfea4;hb=3e30fbb7bf5efd88df431e366492356e7eb969ec;hpb=b03def134988da8c800adac1a38a41a1f09a1d89
+
+Index: mupdf-1.12.0-source/source/pdf/pdf-write.c
+===================================================================
+--- mupdf-1.12.0-source.orig/source/pdf/pdf-write.c
++++ mupdf-1.12.0-source/source/pdf/pdf-write.c
+@@ -633,7 +633,8 @@ expand_lists(fz_context *ctx, pdf_write_
+ {
+ 	int i;
+ 
+-	num++;
++	/* objects are numbered 0..num and maybe two additional objects for linearization */
++	num += 3;
+ 	opts->use_list = fz_resize_array(ctx, opts->use_list, num, sizeof(*opts->use_list));
+ 	opts->ofs_list = fz_resize_array(ctx, opts->ofs_list, num, sizeof(*opts->ofs_list));
+ 	opts->gen_list = fz_resize_array(ctx, opts->gen_list, num, sizeof(*opts->gen_list));
+@@ -1522,9 +1523,9 @@ static void preloadobjstms(fz_context *c
+ {
+ 	pdf_obj *obj;
+ 	int num;
+-	int xref_len = pdf_xref_len(ctx, doc);
+ 
+-	for (num = 0; num < xref_len; num++)
++	/* xref_len may change due to repair, so check it every iteration */
++	for (num = 0; num < pdf_xref_len(ctx, doc); num++)
+ 	{
+ 		if (pdf_get_xref_entry(ctx, doc, num)->type == 'o')
+ 		{
+@@ -2755,7 +2756,7 @@ static void initialise_write_state(fz_co
+ 	opts->continue_on_error = in_opts->continue_on_error;
+ 	opts->errors = in_opts->errors;
+ 
+-	expand_lists(ctx, opts, xref_len + 3);
++	expand_lists(ctx, opts, xref_len);
+ }
+ 
+ /* Free the resources held by the dynamic write options */
+@@ -2889,6 +2890,9 @@ do_pdf_save_document(fz_context *ctx, pd
+ 		{
+ 			pdf_ensure_solid_xref(ctx, doc, xref_len);
+ 			preloadobjstms(ctx, doc);
++
++			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
++			expand_lists(ctx, opts, xref_len);
+ 		}
+ 
+ 		/* Sweep & mark objects from the trailer */
+@@ -2897,6 +2901,7 @@ do_pdf_save_document(fz_context *ctx, pd
+ 		else
+ 		{
+ 			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
++			expand_lists(ctx, opts, xref_len);
+ 			for (num = 0; num < xref_len; num++)
+ 				opts->use_list[num] = 1;
+ 		}
+@@ -2917,6 +2922,7 @@ do_pdf_save_document(fz_context *ctx, pd
+ 		if ((opts->do_garbage >= 2 || opts->do_linear) && !opts->do_incremental)
+ 		{
+ 			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
++			expand_lists(ctx, opts, xref_len);
+ 			while (xref_len > 0 && !opts->use_list[xref_len-1])
+ 				xref_len--;
+ 		}
diff --git a/CVE-2018-6192.patch b/CVE-2018-6192.patch
new file mode 100644
index 0000000..f302c34
--- /dev/null
+++ b/CVE-2018-6192.patch
@@ -0,0 +1,38 @@
+From 5e411a99604ff6be5db9e273ee84737204113299 Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Tue, 30 Jan 2018 02:05:57 +0100
+Subject: [PATCH] Bug 698916: Indirect object numbers must be in range.
+
+---
+ source/pdf/pdf-parse.c | 2 ++
+ source/pdf/pdf-xref.c  | 4 ++--
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+Index: mupdf-1.12.0-source/source/pdf/pdf-parse.c
+===================================================================
+--- mupdf-1.12.0-source.orig/source/pdf/pdf-parse.c
++++ mupdf-1.12.0-source/source/pdf/pdf-parse.c
+@@ -616,6 +616,8 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_d
+ 		fz_throw(ctx, FZ_ERROR_SYNTAX, "expected object number");
+ 	}
+ 	num = buf->i;
++	if (num < 0 || num > PDF_MAX_OBJECT_NUMBER)
++		fz_throw(ctx, FZ_ERROR_SYNTAX, "object number out of range");
+ 
+ 	tok = pdf_lex(ctx, file, buf);
+ 	if (tok != PDF_TOK_INT)
+Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c
+===================================================================
+--- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c
++++ mupdf-1.12.0-source/source/pdf/pdf-xref.c
+@@ -234,8 +234,8 @@ pdf_xref_entry *pdf_get_populating_xref_
+ 	}
+ 
+ 	/* Prevent accidental heap underflow */
+-	if (num < 0)
+-		fz_throw(ctx, FZ_ERROR_GENERIC, "object number must not be negative (%d)", num);
++	if (num < 0 || num > PDF_MAX_OBJECT_NUMBER)
++		fz_throw(ctx, FZ_ERROR_GENERIC, "object number out of range (%d)", num);
+ 
+ 	/* Return the pointer to the entry in the last section. */
+ 	xref = &doc->xref_sections[doc->num_xref_sections-1];
diff --git a/CVE-2018-6544.patch b/CVE-2018-6544.patch
new file mode 100644
index 0000000..ff81e36
--- /dev/null
+++ b/CVE-2018-6544.patch
@@ -0,0 +1,53 @@
+Index: mupdf-1.12.0-source/source/pdf/pdf-stream.c
+===================================================================
+--- mupdf-1.12.0-source.orig/source/pdf/pdf-stream.c
++++ mupdf-1.12.0-source/source/pdf/pdf-stream.c
+@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_
+ 		*orig_gen = 0;
+ 	}
+ 
+-	fz_var(chain);
++	chain = fz_keep_stream(ctx, chain);
+ 
+ 	fz_try(ctx)
+ 	{
+ 		len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length));
+ 
+-		/* don't close chain when we close this filter */
+-		chain2 = fz_keep_stream(ctx, chain);
++		chain2 = chain;
+ 		chain = NULL;
+ 		chain = fz_open_null(ctx, chain2, len, offset);
+ 
+Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c
+===================================================================
+--- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c
++++ mupdf-1.12.0-source/source/pdf/pdf-xref.c
+@@ -1595,6 +1595,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do
+ 	{
+ 		objstm = pdf_load_object(ctx, doc, num);
+ 
++		if (pdf_obj_marked(ctx, objstm))
++			fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup");
++	}
++	fz_catch(ctx)
++	{
++		pdf_drop_obj(ctx, objstm);
++		fz_rethrow(ctx);
++	}
++
++	fz_try(ctx)
++	{
++		pdf_mark_obj(ctx, objstm);
++
+ 		count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N));
+ 		first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First));
+ 
+@@ -1674,6 +1687,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do
+ 		fz_drop_stream(ctx, stm);
+ 		fz_free(ctx, ofsbuf);
+ 		fz_free(ctx, numbuf);
++		pdf_unmark_obj(ctx, objstm);
+ 		pdf_drop_obj(ctx, objstm);
+ 	}
+ 	fz_catch(ctx)
diff --git a/mupdf.changes b/mupdf.changes
index f1dc2fc..015b5c3 100644
--- a/mupdf.changes
+++ b/mupdf.changes
@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Fri Feb  2 20:48:34 UTC 2018 - kbabioch@suse.com
+
+- CVE-2018-6192.patch: Use official fix from usptream (CVE-2018-6192
+  boo#1077755)
+
+-------------------------------------------------------------------
+Fri Feb  2 14:58:40 UTC 2018 - kbabioch@suse.com
+
+- Add CVE-2018-6544.patch to fix a DoS in pdf_load_obj_stm within in
+  pdf/pdf-xref.c (CVE-2018-6544 boo#1079100)
+
+- Add CVE-2018-6192.patch to fix a DoS in pdf_read_new_xref within
+  pdf/pdf-xref.c via crafted PDF file (CVE-2018-6192 boo#1077755)
+
+-------------------------------------------------------------------
+Fri Feb  2 07:52:06 UTC 2018 - kbabioch@suse.com
+
+- Add CVE-2018-6187.patch to fix a heap buffer overflow in in pdf-write.c
+  in the do_pdf_save_document function (CVE-2018-6187 boo#1077407)
+
 -------------------------------------------------------------------
 Tue Jan 23 09:12:22 UTC 2018 - kbabioch@suse.com
 
diff --git a/mupdf.spec b/mupdf.spec
index b56c092..8ea5fc4 100644
--- a/mupdf.spec
+++ b/mupdf.spec
@@ -30,6 +30,9 @@ Source2:        mupdf.png
 Patch1:         fix-openjpeg-flags.patch
 Patch2:         CVE-2018-5686.patch
 Patch3:         CVE-2017-17858.patch
+Patch4:         CVE-2018-6187.patch
+Patch5:         CVE-2018-6192.patch
+Patch6:         CVE-2018-6544.patch
 BuildRequires:  freetype-devel
 BuildRequires:  gcc-c++
 BuildRequires:  jbig2dec-devel
@@ -68,6 +71,9 @@ based on mupdf.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
 
 # do not use the inlined copies of build dpendencies except for mujs
 rm -rf $(ls -d thirdparty/*/ | grep -v mujs)