diff --git a/0005-ui-vnc-avoid-floating-point-exception.patch b/0005-ui-vnc-avoid-floating-point-exception.patch
new file mode 100644
index 0000000..9b39aa6
--- /dev/null
+++ b/0005-ui-vnc-avoid-floating-point-exception.patch
@@ -0,0 +1,41 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 3 Dec 2015 18:54:17 +0530
+Subject: [PATCH] ui: vnc: avoid floating point exception
+
+While sending 'SetPixelFormat' messages to a VNC server,
+the client could set the 'red-max', 'green-max' and 'blue-max'
+values to be zero. This leads to a floating point exception in
+write_png_palette while doing frame buffer updates.
+
+Reported-by: Lian Yihan <lianyihan@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3)
+---
+ ui/vnc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index caf82f5..52c6809 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2189,15 +2189,15 @@ static void set_pixel_format(VncState *vs,
+         return;
+     }
+ 
+-    vs->client_pf.rmax = red_max;
++    vs->client_pf.rmax = red_max ? red_max : 0xFF;
+     vs->client_pf.rbits = hweight_long(red_max);
+     vs->client_pf.rshift = red_shift;
+     vs->client_pf.rmask = red_max << red_shift;
+-    vs->client_pf.gmax = green_max;
++    vs->client_pf.gmax = green_max ? green_max : 0xFF;
+     vs->client_pf.gbits = hweight_long(green_max);
+     vs->client_pf.gshift = green_shift;
+     vs->client_pf.gmask = green_max << green_shift;
+-    vs->client_pf.bmax = blue_max;
++    vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
+     vs->client_pf.bbits = hweight_long(blue_max);
+     vs->client_pf.bshift = blue_shift;
+     vs->client_pf.bmask = blue_max << blue_shift;
diff --git a/qemu.spec b/qemu.spec
index 8d55887..e7bb89d 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -40,7 +40,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 2.4.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@@ -76,6 +76,8 @@ Patch0002: 0002-eepro100-Prevent-two-endless-loops.patch
 Patch0003: 0003-net-pcnet-add-check-to-validate-receive-data-size-CV.patch
 # CVE-2015-7512: Fix buffer overflow in pcnet (bz #1286549)
 Patch0004: 0004-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch
+# vnc: avoid floating point exceptions (bz #1289541, bz #1289542)
+Patch0005: 0005-ui-vnc-avoid-floating-point-exception.patch
 
 BuildRequires: SDL2-devel
 BuildRequires: zlib-devel
@@ -1208,6 +1210,9 @@ getent passwd qemu >/dev/null || \
 
 
 %changelog
+* Tue Dec 08 2015 Cole Robinson <crobinso@redhat.com> - 2:2.4.1-3
+- vnc: avoid floating point exceptions (bz #1289541, bz #1289542)
+
 * Mon Dec 07 2015 Cole Robinson <crobinso@redhat.com> - 2:2.4.1-2
 - Fix SSE4 emulation with accel=tcg (bz #1270703)
 - CVE-2015-8345: Fix infinite loop in eepro100 (bz #1285214)