diff --git a/FreeImage-3.17.0_CVE-2016-5684.patch b/FreeImage-3.17.0_CVE-2016-5684.patch
new file mode 100644
index 0000000..1df2646
--- /dev/null
+++ b/FreeImage-3.17.0_CVE-2016-5684.patch
@@ -0,0 +1,24 @@
+diff -rupN FreeImage/Source/FreeImage/PluginXPM.cpp FreeImage-new/Source/FreeImage/PluginXPM.cpp
+--- FreeImage/Source/FreeImage/PluginXPM.cpp	2015-03-02 02:07:08.000000000 +0100
++++ FreeImage-new/Source/FreeImage/PluginXPM.cpp	2016-10-04 16:40:11.975271194 +0200
+@@ -181,6 +181,11 @@ Load(FreeImageIO *io, fi_handle handle,
+ 		}
+ 		free(str);
+ 
++		// check info string
++		if((width <= 0) || (height <= 0) || (colors <= 0) || (cpp <= 0)) {
++			throw "Improperly formed info string";
++		}
++
+         if (colors > 256) {
+ 			dib = FreeImage_AllocateHeader(header_only, width, height, 24, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
+ 		} else {
+@@ -193,7 +198,7 @@ Load(FreeImageIO *io, fi_handle handle,
+ 			FILE_RGBA rgba;
+ 
+ 			str = ReadString(io, handle);
+-			if(!str)
++			if(!str || (strlen(str) < (size_t)cpp))
+ 				throw "Error reading color strings";
+ 
+ 			std::string chrs(str,cpp); //create a string for the color chars using the first cpp chars
diff --git a/freeimage.spec b/freeimage.spec
index ad63550..643c4b8 100644
--- a/freeimage.spec
+++ b/freeimage.spec
@@ -3,7 +3,7 @@
 
 Name:           freeimage
 Version:        3.17.0
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        Multi-format image decoder library
 
 # freeimage is tripple-licensed, see
@@ -18,6 +18,8 @@ Patch0:         FreeImage-3.17.0_unbundle.patch
 Patch1:         FreeImage-3.17.0_doxygen.patch
 # Fix CVE-2015-0852 (#1257859)
 Patch2:         FreeImage-3.17.0_CVE-2015-0852.patch
+# Fix CVE-2016-5684 (#1381517)
+Patch3:         FreeImage-3.17.0_CVE-2016-5684.patch
 
 BuildRequires:  doxygen
 BuildRequires:  jxrlib-devel
@@ -67,6 +69,7 @@ developing applications that use %{name}-plus.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 # remove all included libs to make sure these don't get used during compile
 rm -r Source/Lib* Source/ZLib Source/OpenEXR
@@ -88,11 +91,11 @@ done
 sh ./gensrclist.sh
 sh ./genfipsrclist.sh
 %ifarch %{power64} %{mips32}
-make -f Makefile.gnu %{?_smp_mflags} CFLAGS="%{optflags} -fPIC" CXXFLAGS="%{optflags} -fPIC" LDFLAGS="%{__global_ldflags}"
-make -f Makefile.fip %{?_smp_mflags} CFLAGS="%{optflags} -fPIC" CXXFLAGS="%{optflags} -fPIC" LDFLAGS="%{__global_ldflags}"
+%make_build -f Makefile.gnu CFLAGS="%{optflags} -fPIC" CXXFLAGS="%{optflags} -fPIC" LDFLAGS="%{__global_ldflags}"
+%make_build -f Makefile.fip CFLAGS="%{optflags} -fPIC" CXXFLAGS="%{optflags} -fPIC" LDFLAGS="%{__global_ldflags}"
 %else
-make -f Makefile.gnu %{?_smp_mflags} CFLAGS="%{optflags}" CXXFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}"
-make -f Makefile.fip %{?_smp_mflags} CFLAGS="%{optflags}" CXXFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}"
+%make_build -f Makefile.gnu CFLAGS="%{optflags}" CXXFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}"
+%make_build -f Makefile.fip CFLAGS="%{optflags}" CXXFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}"
 %endif
 
 pushd Wrapper/FreeImagePlus/doc
@@ -146,6 +149,9 @@ ldconfig -n %{buildroot}%{_libdir}
 
 
 %changelog
+* Tue Oct 04 2016 Sandro Mani <manisandro@gmail.com> - 3.17.0-7
+- Fix CVE-2016-5684 (rhbz#1381517)
+
 * Fri Aug 12 2016 Michal Toman <mtoman@fedoraproject.org> - 3.17.0-6
 - -fPIC on 32-bit MIPS