diff --git a/CVE-2018-5686.patch b/CVE-2018-5686.patch
new file mode 100644
index 0000000..e94b59a
--- /dev/null
+++ b/CVE-2018-5686.patch
@@ -0,0 +1,42 @@
+X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=include%2Fmupdf%2Ffitz%2Fstream.h;h=790a0a83d3850facdceefb3c3e598fdb63d4e14d;hp=cd26be9039c064c8028fd6ca958044d133644e29;hb=b70eb93f6936c03d8af52040bbca4d4a7db39079;hpb=0d7359fbcd331ec0a22ec163dacff953f9817814
+
+Index: mupdf-1.12.0-source/include/mupdf/fitz/stream.h
+===================================================================
+--- mupdf-1.12.0-source.orig/include/mupdf/fitz/stream.h
++++ mupdf-1.12.0-source/include/mupdf/fitz/stream.h
+@@ -335,10 +335,11 @@ static inline size_t fz_available(fz_con
+ 
+ 	if (len)
+ 		return len;
++	if (stm->eof)
++		return 0;
++
+ 	fz_try(ctx)
+-	{
+ 		c = stm->next(ctx, stm, max);
+-	}
+ 	fz_catch(ctx)
+ 	{
+ 		fz_rethrow_if(ctx, FZ_ERROR_TRYLATER);
+@@ -369,10 +370,10 @@ static inline int fz_read_byte(fz_contex
+ 
+ 	if (stm->rp != stm->wp)
+ 		return *stm->rp++;
++	if (stm->eof)
++		return EOF;
+ 	fz_try(ctx)
+-	{
+ 		c = stm->next(ctx, stm, 1);
+-	}
+ 	fz_catch(ctx)
+ 	{
+ 		fz_rethrow_if(ctx, FZ_ERROR_TRYLATER);
+@@ -398,6 +399,8 @@ static inline int fz_peek_byte(fz_contex
+ 
+ 	if (stm->rp != stm->wp)
+ 		return *stm->rp;
++	if (stm->eof)
++		return EOF;
+ 
+ 	c = stm->next(ctx, stm, 1);
+ 	if (c != EOF)
diff --git a/mupdf.changes b/mupdf.changes
index b2be24f..0fc6742 100644
--- a/mupdf.changes
+++ b/mupdf.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Jan 22 12:20:48 UTC 2018 - idonmez@suse.com
+
+- Add CVE-2018-5686.patch to fix an infinite loop
+  CVE-2018-5686 bsc#1075936
+
 -------------------------------------------------------------------
 Sun Jan 14 03:11:32 UTC 2018 - avindra@opensuse.org
 
diff --git a/mupdf.spec b/mupdf.spec
index f462e66..79b7115 100644
--- a/mupdf.spec
+++ b/mupdf.spec
@@ -28,6 +28,7 @@ Source0:        https://mupdf.com/downloads/mupdf-%{version}-source.tar.xz#/%{na
 Source1:        mupdf.desktop
 Source2:        mupdf.png
 Patch1:         fix-openjpeg-flags.patch
+Patch2:         CVE-2018-5686.patch
 BuildRequires:  freetype-devel
 BuildRequires:  gcc-c++
 BuildRequires:  jbig2dec-devel
@@ -64,6 +65,7 @@ based on mupdf.
 %prep
 %setup -q -n %{name}-%{version}-source
 %patch1 -p1
+%patch2 -p1
 
 # do not use the inlined copies of build dpendencies except for mujs
 rm -rf $(ls -d thirdparty/*/ | grep -v mujs)