diff --git a/CVE-2018-6187.patch b/CVE-2018-6187.patch
new file mode 100644
index 0000000..b0db024
--- /dev/null
+++ b/CVE-2018-6187.patch
@@ -0,0 +1,63 @@
+X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=source%2Fpdf%2Fpdf-write.c;h=bc67f003025516c04991758ea648f79d00926742;hp=a7326a173a09df3fd4e3adbf3e1842081b6dfea4;hb=3e30fbb7bf5efd88df431e366492356e7eb969ec;hpb=b03def134988da8c800adac1a38a41a1f09a1d89
+
+Index: mupdf-1.12.0-source/source/pdf/pdf-write.c
+===================================================================
+--- mupdf-1.12.0-source.orig/source/pdf/pdf-write.c
++++ mupdf-1.12.0-source/source/pdf/pdf-write.c
+@@ -633,7 +633,8 @@ expand_lists(fz_context *ctx, pdf_write_
+ {
+ 	int i;
+ 
+-	num++;
++	/* objects are numbered 0..num and maybe two additional objects for linearization */
++	num += 3;
+ 	opts->use_list = fz_resize_array(ctx, opts->use_list, num, sizeof(*opts->use_list));
+ 	opts->ofs_list = fz_resize_array(ctx, opts->ofs_list, num, sizeof(*opts->ofs_list));
+ 	opts->gen_list = fz_resize_array(ctx, opts->gen_list, num, sizeof(*opts->gen_list));
+@@ -1522,9 +1523,9 @@ static void preloadobjstms(fz_context *c
+ {
+ 	pdf_obj *obj;
+ 	int num;
+-	int xref_len = pdf_xref_len(ctx, doc);
+ 
+-	for (num = 0; num < xref_len; num++)
++	/* xref_len may change due to repair, so check it every iteration */
++	for (num = 0; num < pdf_xref_len(ctx, doc); num++)
+ 	{
+ 		if (pdf_get_xref_entry(ctx, doc, num)->type == 'o')
+ 		{
+@@ -2755,7 +2756,7 @@ static void initialise_write_state(fz_co
+ 	opts->continue_on_error = in_opts->continue_on_error;
+ 	opts->errors = in_opts->errors;
+ 
+-	expand_lists(ctx, opts, xref_len + 3);
++	expand_lists(ctx, opts, xref_len);
+ }
+ 
+ /* Free the resources held by the dynamic write options */
+@@ -2889,6 +2890,9 @@ do_pdf_save_document(fz_context *ctx, pd
+ 		{
+ 			pdf_ensure_solid_xref(ctx, doc, xref_len);
+ 			preloadobjstms(ctx, doc);
++
++			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
++			expand_lists(ctx, opts, xref_len);
+ 		}
+ 
+ 		/* Sweep & mark objects from the trailer */
+@@ -2897,6 +2901,7 @@ do_pdf_save_document(fz_context *ctx, pd
+ 		else
+ 		{
+ 			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
++			expand_lists(ctx, opts, xref_len);
+ 			for (num = 0; num < xref_len; num++)
+ 				opts->use_list[num] = 1;
+ 		}
+@@ -2917,6 +2922,7 @@ do_pdf_save_document(fz_context *ctx, pd
+ 		if ((opts->do_garbage >= 2 || opts->do_linear) && !opts->do_incremental)
+ 		{
+ 			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
++			expand_lists(ctx, opts, xref_len);
+ 			while (xref_len > 0 && !opts->use_list[xref_len-1])
+ 				xref_len--;
+ 		}
diff --git a/mupdf.changes b/mupdf.changes
index f1dc2fc..d72d751 100644
--- a/mupdf.changes
+++ b/mupdf.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Feb  2 07:52:06 UTC 2018 - kbabioch@suse.com
+
+- Add CVE-2018-6187.patch to fix a heap buffer overflow in in pdf-write.c
+  in the do_pdf_save_document function (CVE-2018-6187 boo#1077407)
+
 -------------------------------------------------------------------
 Tue Jan 23 09:12:22 UTC 2018 - kbabioch@suse.com
 
diff --git a/mupdf.spec b/mupdf.spec
index b56c092..da76292 100644
--- a/mupdf.spec
+++ b/mupdf.spec
@@ -30,6 +30,7 @@ Source2:        mupdf.png
 Patch1:         fix-openjpeg-flags.patch
 Patch2:         CVE-2018-5686.patch
 Patch3:         CVE-2017-17858.patch
+Patch4:         CVE-2018-6187.patch
 BuildRequires:  freetype-devel
 BuildRequires:  gcc-c++
 BuildRequires:  jbig2dec-devel
@@ -68,6 +69,7 @@ based on mupdf.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 
 # do not use the inlined copies of build dpendencies except for mujs
 rm -rf $(ls -d thirdparty/*/ | grep -v mujs)