diff --git a/0001-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch b/0001-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
new file mode 100644
index 0000000..3772293
--- /dev/null
+++ b/0001-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
@@ -0,0 +1,38 @@
+From 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 Mon Sep 17 00:00:00 2001
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Date: Sun, 28 Jul 2019 19:11:24 +0200
+Subject: [PATCH] Fix heap overflow in ip_reass on big packet input
+
+When the first fragment does not fit in the preallocated buffer, q will
+already be pointing to the ext buffer, so we mustn't try to update it.
+
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+---
+ src/ip_input.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/ip_input.c b/src/ip_input.c
+index 50c7657..8c75d91 100644
+--- a/src/ip_input.c
++++ b/src/ip_input.c
+@@ -326,6 +326,8 @@ insert:
+     q = fp->frag_link.next;
+     m = dtom(slirp, q);
+ 
++    int was_ext = m->m_flags & M_EXT;
++
+     q = (struct ipasfrag *)q->ipf_next;
+     while (q != (struct ipasfrag *)&fp->frag_link) {
+         struct mbuf *t = dtom(slirp, q);
+@@ -348,7 +350,7 @@ insert:
+      * the old buffer (in the mbuf), so we must point ip
+      * into the new buffer.
+      */
+-    if (m->m_flags & M_EXT) {
++    if (!was_ext && m->m_flags & M_EXT) {
+         int delta = (char *)q - m->m_dat;
+         q = (struct ipasfrag *)(m->m_ext + delta);
+     }
+-- 
+2.22.0.545.g9c9b961d7e
+
diff --git a/libslirp.spec b/libslirp.spec
index 36bbc92..c529fcf 100644
--- a/libslirp.spec
+++ b/libslirp.spec
@@ -1,6 +1,6 @@
 Name:           libslirp
 Version:        4.0.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A general purpose TCP-IP emulator
 
 # check the SPDX tags in source files for details
@@ -8,6 +8,8 @@ License:        BSD and MIT
 URL:            https://gitlab.freedesktop.org/slirp/%{name}
 Source0:        %{url}/-/archive/v%{version}/%{name}-v%{version}.tar.gz
 
+Patch0001:      0001-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
+BuildRequires:  git-core
 BuildRequires:  meson
 BuildRequires:  gcc
 BuildRequires:  glib2-devel
@@ -27,7 +29,7 @@ developing applications that use %{name}.
 
 
 %prep
-%autosetup -n %{name}-v%{version}
+%autosetup -S git_am -n %{name}-v%{version}
 
 %build
 %meson
@@ -51,6 +53,9 @@ developing applications that use %{name}.
 
 
 %changelog
+* Fri Aug  2 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.0.0-3
+- Fix CVE-2019-14378, rhbz#1735654
+
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild