diff --git a/glibc-testsuite.changes b/glibc-testsuite.changes
index 58106bc..9f97669 100644
--- a/glibc-testsuite.changes
+++ b/glibc-testsuite.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Sep 12 13:42:23 UTC 2013 - schwab@suse.de
+
+- malloc-overflows.patch: Fix integer overflows in malloc (CVE-2013-4332,
+  bnc#839870)
+
 -------------------------------------------------------------------
 Wed Sep 11 10:11:56 UTC 2013 - schwab@suse.de
 
diff --git a/glibc-testsuite.spec b/glibc-testsuite.spec
index 42ee5a9..3c95b08 100644
--- a/glibc-testsuite.spec
+++ b/glibc-testsuite.spec
@@ -242,6 +242,8 @@ Patch306:       glibc-fix-double-loopback.diff
 ###
 # PATCH-FIX-UPSTREAM Add O_TMPFILE to <fcntl.h>
 Patch1000:      fcntl-o-tmpfile.patch
+# PATCH-FIX-UPSTREAM Integer overflows in malloc
+Patch1001:      malloc-overflows.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -465,6 +467,7 @@ rm nscd/s-stamp
 %patch306 -p1
 
 %patch1000 -p1
+%patch1001 -p1
 
 # XXX Disable, it breaks the testsuite, test elf/tst-audit2 
 # %patch2008 -p1
diff --git a/glibc-utils.changes b/glibc-utils.changes
index 58106bc..9f97669 100644
--- a/glibc-utils.changes
+++ b/glibc-utils.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Sep 12 13:42:23 UTC 2013 - schwab@suse.de
+
+- malloc-overflows.patch: Fix integer overflows in malloc (CVE-2013-4332,
+  bnc#839870)
+
 -------------------------------------------------------------------
 Wed Sep 11 10:11:56 UTC 2013 - schwab@suse.de
 
diff --git a/glibc-utils.spec b/glibc-utils.spec
index 2dc9819..63cfc1c 100644
--- a/glibc-utils.spec
+++ b/glibc-utils.spec
@@ -241,6 +241,8 @@ Patch306:       glibc-fix-double-loopback.diff
 ###
 # PATCH-FIX-UPSTREAM Add O_TMPFILE to <fcntl.h>
 Patch1000:      fcntl-o-tmpfile.patch
+# PATCH-FIX-UPSTREAM Integer overflows in malloc
+Patch1001:      malloc-overflows.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -465,6 +467,7 @@ rm nscd/s-stamp
 %patch306 -p1
 
 %patch1000 -p1
+%patch1001 -p1
 
 # XXX Disable, it breaks the testsuite, test elf/tst-audit2 
 # %patch2008 -p1
diff --git a/glibc.changes b/glibc.changes
index 58106bc..9f97669 100644
--- a/glibc.changes
+++ b/glibc.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Sep 12 13:42:23 UTC 2013 - schwab@suse.de
+
+- malloc-overflows.patch: Fix integer overflows in malloc (CVE-2013-4332,
+  bnc#839870)
+
 -------------------------------------------------------------------
 Wed Sep 11 10:11:56 UTC 2013 - schwab@suse.de
 
diff --git a/glibc.spec b/glibc.spec
index f2fbbb0..54dbb02 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -242,6 +242,8 @@ Patch306:       glibc-fix-double-loopback.diff
 ###
 # PATCH-FIX-UPSTREAM Add O_TMPFILE to <fcntl.h>
 Patch1000:      fcntl-o-tmpfile.patch
+# PATCH-FIX-UPSTREAM Integer overflows in malloc
+Patch1001:      malloc-overflows.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -465,6 +467,7 @@ rm nscd/s-stamp
 %patch306 -p1
 
 %patch1000 -p1
+%patch1001 -p1
 
 # XXX Disable, it breaks the testsuite, test elf/tst-audit2 
 # %patch2008 -p1
diff --git a/malloc-overflows.patch b/malloc-overflows.patch
new file mode 100644
index 0000000..15f2369
--- /dev/null
+++ b/malloc-overflows.patch
@@ -0,0 +1,60 @@
+2013-09-11  Will Newton  <will.newton@linaro.org>
+
+	[BZ #15857]
+	* malloc/malloc.c (__libc_memalign): Check the value of bytes
+	does not overflow.
+
+	[BZ #15856]
+	* malloc/malloc.c (__libc_valloc): Check the value of bytes
+	does not overflow.
+
+	[BZ #15855]
+	* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
+	does not overflow.
+
+Index: glibc-2.18/malloc/malloc.c
+===================================================================
+--- glibc-2.18.orig/malloc/malloc.c
++++ glibc-2.18/malloc/malloc.c
+@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t
+   /* Otherwise, ensure that it is at least a minimum chunk size */
+   if (alignment <  MINSIZE) alignment = MINSIZE;
+ 
++  /* Check for overflow.  */
++  if (bytes > SIZE_MAX - alignment - MINSIZE)
++    {
++      __set_errno (ENOMEM);
++      return 0;
++    }
++
+   arena_get(ar_ptr, bytes + alignment + MINSIZE);
+   if(!ar_ptr)
+     return 0;
+@@ -3046,6 +3053,13 @@ __libc_valloc(size_t bytes)
+ 
+   size_t pagesz = GLRO(dl_pagesize);
+ 
++  /* Check for overflow.  */
++  if (bytes > SIZE_MAX - pagesz - MINSIZE)
++    {
++      __set_errno (ENOMEM);
++      return 0;
++    }
++
+   void *(*hook) (size_t, size_t, const void *) =
+     force_reg (__memalign_hook);
+   if (__builtin_expect (hook != NULL, 0))
+@@ -3082,6 +3096,13 @@ __libc_pvalloc(size_t bytes)
+   size_t page_mask = GLRO(dl_pagesize) - 1;
+   size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
+ 
++  /* Check for overflow.  */
++  if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
++    {
++      __set_errno (ENOMEM);
++      return 0;
++    }
++
+   void *(*hook) (size_t, size_t, const void *) =
+     force_reg (__memalign_hook);
+   if (__builtin_expect (hook != NULL, 0))