diff --git a/0001-vmcstream-Fix-buffer-overflow-sending-data-to-task.patch b/0001-vmcstream-Fix-buffer-overflow-sending-data-to-task.patch
new file mode 100644
index 0000000..195d745
--- /dev/null
+++ b/0001-vmcstream-Fix-buffer-overflow-sending-data-to-task.patch
@@ -0,0 +1,57 @@
+From c188c382afcad1a054541f8b101fa1044e2289cf Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Sun, 2 Jun 2019 19:02:25 +0100
+Subject: [PATCH spice-gtk] vmcstream: Fix buffer overflow sending data to task
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The "count" variable is used to store the full length of the
+initial buffer set using spice_vmc_input_stream_read_all_async or
+spice_vmc_input_stream_read_async.
+However on spice_vmc_input_stream_co_data the "buffer" variable is
+increased by the amount read into it.
+On potential next loop "count" is still used to compute the bytes to
+read but now "buffer + count" points past the original buffer.
+So we need to take into account the position written in order to
+compute the right limit.
+Tested with WebDAV.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1720532
+
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+---
+ src/vmcstream.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/src/vmcstream.c b/src/vmcstream.c
+index 0634bce..86c949a 100644
+--- a/src/vmcstream.c
++++ b/src/vmcstream.c
+@@ -142,17 +142,16 @@ spice_vmc_input_stream_co_data(SpiceVmcInputStream *self,
+ 
+         g_return_if_fail(self->task != NULL);
+ 
+-        gsize min = MIN(self->count, size);
+-        memcpy(self->buffer, data, min);
++        gsize min = MIN(self->count - self->pos, size);
++        memcpy(self->buffer + self->pos, data, min);
+ 
+         size -= min;
+         data += min;
+ 
+-        SPICE_DEBUG("spicevmc co_data complete: %" G_GSIZE_FORMAT
+-                    "/%" G_GSIZE_FORMAT, min, self->count);
+-
+         self->pos += min;
+-        self->buffer += min;
++
++        SPICE_DEBUG("spicevmc co_data complete: %" G_GSIZE_FORMAT
++                    "/%" G_GSIZE_FORMAT, self->pos, self->count);
+ 
+         if (self->all && min > 0 && self->pos != self->count)
+             continue;
+-- 
+2.22.0.rc2.384.g1a9a72ea1d
+
diff --git a/spice-gtk.spec b/spice-gtk.spec
index 0bdc3c7..e77e23a 100644
--- a/spice-gtk.spec
+++ b/spice-gtk.spec
@@ -2,7 +2,7 @@
 
 Name:           spice-gtk
 Version:        0.37
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A GTK+ widget for SPICE clients
 
 License:        LGPLv2+
@@ -12,6 +12,8 @@ Source0:        https://www.spice-space.org/download/gtk/%{name}-%{version}%{?_v
 Source1:        https://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2.sig
 Source2:        victortoso-E37A484F.keyring
 
+Patch0001:      0001-vmcstream-Fix-buffer-overflow-sending-data-to-task.patch
+
 BuildRequires: git-core
 BuildRequires: meson
 BuildRequires: intltool
@@ -192,6 +194,9 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
 %{_bindir}/spicy-stats
 
 %changelog
+* Fri Jun 14 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.37-2
+- Add 0001-vmcstream-Fix-buffer-overflow-sending-data-to-task.patch fix. rhbz#1720532
+
 * Thu May 16 2019 Victor Toso <victortoso@redhat.com> - 0.37-1
 - Update to v0.37
 - Add gpg check to release's signature