diff --git a/0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch b/0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch
new file mode 100644
index 0000000..e03e3f3
--- /dev/null
+++ b/0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch
@@ -0,0 +1,52 @@
+From 5d201df72f3d4f4cb8b8f75f980169b03507da38 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Tue, 28 Nov 2017 21:38:07 +0100
+Subject: [PATCH] cursor: Fix heap overflows when parsing malicious files.
+
+It is possible to trigger heap overflows due to an integer overflow
+while parsing images.
+
+The integer overflow occurs because the chosen limit 0x10000 for
+dimensions is too large for 32 bit systems, because each pixel takes
+4 bytes. Properly chosen values allow an overflow which in turn will
+lead to less allocated memory than needed for subsequent reads.
+
+See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+[Pekka: add link to the corresponding libXcursor commit]
+Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
+---
+ cursor/xcursor.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/cursor/xcursor.c b/cursor/xcursor.c
+index ca41c4ac611f..689c7026729d 100644
+--- a/cursor/xcursor.c
++++ b/cursor/xcursor.c
+@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
+ {
+     XcursorImage    *image;
+ 
++    if (width < 0 || height < 0)
++       return NULL;
++    if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
++       return NULL;
++
+     image = malloc (sizeof (XcursorImage) +
+ 		    width * height * sizeof (XcursorPixel));
+     if (!image)
+@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile		*file,
+     if (!_XcursorReadUInt (file, &head.delay))
+ 	return NULL;
+     /* sanity check data */
+-    if (head.width >= 0x10000 || head.height > 0x10000)
++    if (head.width > XCURSOR_IMAGE_MAX_SIZE  ||
++	head.height > XCURSOR_IMAGE_MAX_SIZE)
+ 	return NULL;
+     if (head.width == 0 || head.height == 0)
+ 	return NULL;
+-- 
+2.14.3
+
diff --git a/wayland.spec b/wayland.spec
index b5e49dd..72ac8ff 100644
--- a/wayland.spec
+++ b/wayland.spec
@@ -1,12 +1,16 @@
 Name:           wayland
 Version:        1.14.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Wayland Compositor Infrastructure
 
 License:        MIT
 URL:            http://wayland.freedesktop.org/
 Source0:        http://wayland.freedesktop.org/releases/%{name}-%{version}.tar.xz
 
+# https://lists.freedesktop.org/archives/wayland-devel/2017-November/035979.html
+# Backported from upstream
+Patch0:         0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch
+
 BuildRequires:  chrpath
 BuildRequires:  docbook-style-xsl
 BuildRequires:  doxygen
@@ -66,7 +70,7 @@ Wayland server library
 
 
 %prep
-%setup -q
+%autosetup -p1
 
 
 %build
@@ -127,6 +131,9 @@ XDG_RUNTIME_DIR=$PWD/tests/run make check || \
 %{_libdir}/libwayland-server.so.0*
 
 %changelog
+* Tue Dec 12 2017 Kalev Lember <klember@redhat.com> - 1.14.0-2
+- cursor: Fix heap overflows when parsing malicious files (#1522638)
+
 * Wed Aug 09 2017 Kalev Lember <klember@redhat.com> - 1.14.0-1
 - Update to 1.14.0