diff -Nru libgadu-1.11.1/debian/changelog libgadu-1.11.1/debian/changelog
--- libgadu-1.11.1/debian/changelog	2014-02-07 14:10:09.000000000 +0000
+++ libgadu-1.11.1/debian/changelog	2014-05-20 12:33:31.000000000 +0000
@@ -1,3 +1,12 @@
+libgadu (1:1.11.1-1ubuntu0.2) precise-security; urgency=medium
+
+  * SECURITY UPDATE: memory corruption via crafted message from file relay
+    server
+    - debian/patches/CVE-2014-3775.patch: check relay_count in src/dcc7.c.
+    - CVE-2014-3775
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 20 May 2014 08:33:31 -0400
+
 libgadu (1:1.11.1-1ubuntu0.1) precise-security; urgency=medium
 
   * SECURITY UPDATE: buffer overflow in gadu-gadu HTTP parsing
diff -Nru libgadu-1.11.1/debian/patches/CVE-2014-3775.patch libgadu-1.11.1/debian/patches/CVE-2014-3775.patch
--- libgadu-1.11.1/debian/patches/CVE-2014-3775.patch	1970-01-01 00:00:00.000000000 +0000
+++ libgadu-1.11.1/debian/patches/CVE-2014-3775.patch	2014-05-20 12:33:26.000000000 +0000
@@ -0,0 +1,44 @@
+Description: fix memory corruption via crafted message from file relay server
+Origin: upstream, https://github.com/wojtekka/libgadu/commit/f45ff34dfe2edab54d6fa185e8b87246ab100bd4
+Origin: upstream, https://github.com/wojtekka/libgadu/commit/0db17ad635b07566d4e53a773919c16472341966
+
+Index: libgadu-1.11.2/src/dcc7.c
+===================================================================
+--- libgadu-1.11.2.orig/src/dcc7.c	2012-06-18 17:09:31.000000000 -0400
++++ libgadu-1.11.2/src/dcc7.c	2014-05-20 08:30:35.333011183 -0400
+@@ -1423,6 +1423,7 @@
+ 			char buf[256];
+ 			struct gg_dcc7_relay_reply *pkt;
+ 			struct gg_dcc7_relay_reply_server srv;
++			size_t max_relay_count = (sizeof(buf) - sizeof(*pkt)) / sizeof(srv);
+ 			int res;
+ 			int i;
+ 
+@@ -1439,7 +1440,7 @@
+ 
+ 			pkt = (struct gg_dcc7_relay_reply*) buf;
+ 
+-			if (gg_fix32(pkt->magic) != GG_DCC7_RELAY_REPLY || gg_fix32(pkt->rcount) < 1 || gg_fix32(pkt->rcount > 256) || gg_fix32(pkt->len) < sizeof(*pkt) + gg_fix32(pkt->rcount) * sizeof(srv)) {
++			if (gg_fix32(pkt->magic) != GG_DCC7_RELAY_REPLY || gg_fix32(pkt->rcount) < 1 || gg_fix32(pkt->rcount) > 256 || gg_fix32(pkt->len) < sizeof(*pkt) + gg_fix32(pkt->rcount) * sizeof(srv)) {
+ 				gg_debug_dcc(dcc, GG_DEBUG_MISC, "// gg_dcc7_wathc_fd() invalid reply\n");
+ 				errno = EINVAL;
+ 				e->type = GG_EVENT_DCC7_ERROR;
+@@ -1454,6 +1455,18 @@
+ 
+ 			dcc->relay_index = 0;
+ 			dcc->relay_count = gg_fix32(pkt->rcount);
++
++			if (dcc->relay_count > 0xffff ||
++				(size_t)dcc->relay_count > max_relay_count)
++			{
++				gg_debug_dcc(dcc, GG_DEBUG_MISC,
++					"// gg_dcc7_watch_fd() relay_count out "
++					"of bounds (%d)\n", dcc->relay_count);
++				dcc->relay_count = 0;
++				free(e);
++				return NULL;
++			}
++
+ 			dcc->relay_list = malloc(dcc->relay_count * sizeof(gg_dcc7_relay_t));
+ 
+ 			if (dcc->relay_list == NULL) {
diff -Nru libgadu-1.11.1/debian/patches/series libgadu-1.11.1/debian/patches/series
--- libgadu-1.11.1/debian/patches/series	2014-02-07 14:10:03.000000000 +0000
+++ libgadu-1.11.1/debian/patches/series	2014-05-20 12:33:26.000000000 +0000
@@ -1 +1,2 @@
 CVE-2013-6487.patch
+CVE-2014-3775.patch