diff --git a/libpng-CVE-2015-8126.patch b/libpng-CVE-2015-8126.patch
index 2044637..4b113a5 100644
--- a/libpng-CVE-2015-8126.patch
+++ b/libpng-CVE-2015-8126.patch
@@ -1,5 +1,42 @@
+diff --git a/pngrutil.c b/pngrutil.c
+index 8f8edbc..5ca4dcb 100644
+--- a/pngrutil.c
++++ b/pngrutil.c
+@@ -866,7 +866,7 @@ void /* PRIVATE */
+ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
+ {
+    png_color palette[PNG_MAX_PALETTE_LENGTH];
+-   int num, i;
++   int max_palette_length, num, i;
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    png_colorp pal_ptr;
+ #endif
+@@ -927,6 +927,14 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
+    /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
+    num = (int)length / 3;
+ 
++   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
++       max_palette_length = (1 << png_ptr->bit_depth);
++   else
++       max_palette_length = PNG_MAX_PALETTE_LENGTH;
++
++   if (num > max_palette_length)
++       num = max_palette_length;
++
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
+    {
+@@ -959,7 +967,7 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
+    if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+ #endif
+    {
+-      png_crc_finish(png_ptr, 0);
++      png_crc_finish(png_ptr, (int) length - num * 3);
+    }
+ 
+ #ifndef PNG_READ_OPT_PLTE_SUPPORTED
 diff --git a/pngset.c b/pngset.c
-index 5f62af1..772df71 100644
+index 5f62af1..42e0dc2 100644
 --- a/pngset.c
 +++ b/pngset.c
 @@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
@@ -17,10 +54,23 @@ index 5f62af1..772df71 100644
 +   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
 +      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
 +
-+   if (num_palette < 0 || num_palette > max_palette_length)
++   if (num_palette < 0 || num_palette > (int) max_palette_length)
     {
        if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
           png_error(png_ptr, "Invalid palette length");
+diff --git a/pngwrite.c b/pngwrite.c
+index 3c8cbbe..39ef69e 100644
+--- a/pngwrite.c
++++ b/pngwrite.c
+@@ -206,7 +206,7 @@ png_write_info(png_structrp png_ptr, png_const_inforp info_ptr)
+       png_write_PLTE(png_ptr, info_ptr->palette,
+           (png_uint_32)info_ptr->num_palette);
+ 
+-   else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0)
++   else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+       png_error(png_ptr, "Valid palette required for paletted images");
+ 
+ #ifdef PNG_WRITE_tRNS_SUPPORTED
 diff --git a/pngwutil.c b/pngwutil.c
 index 9e6019e..01be584 100644
 --- a/pngwutil.c
diff --git a/libpng.spec b/libpng.spec
index 30bacca..553f93f 100644
--- a/libpng.spec
+++ b/libpng.spec
@@ -2,7 +2,7 @@ Summary:       A library of functions for manipulating PNG image format files
 Name:          libpng
 Epoch:         2
 Version:       1.6.18
-Release:       2%{?dist}
+Release:       3%{?dist}
 License:       zlib
 Group:         System Environment/Libraries
 URL:           http://www.libpng.org/pub/png/
@@ -112,6 +112,10 @@ make check
 %{_bindir}/pngfix
 
 %changelog
+* Wed Nov 18 2015 Petr Hracek <phracek@redhat.com> - 2:1.6.18-3
+- fix for CVE-2015-8126 (#1281756, #1281757)
+- correct patch
+
 * Wed Nov 18 2015 Petr Hracek <phracek@redhat.com> - 2:1.6.18-2
 - fix for CVE-2015-8126 (#1281756)