diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog	2015-09-01 18:19:46.000000000 +0000
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog	2019-03-20 20:19:56.000000000 +0000
@@ -1,3 +1,27 @@
+gpac (0.5.2-426-gc5ad4e4+dfsg5-1ubuntu0.1) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Fix multiple buffer overflow issues
+    - debian/patches/CVE-2018-7752-CVE-2018-1000100.patch: fix buffer overflow
+      in the gf_media_avc_read_sps
+    - debian/patches/CVE-2018-13005-CVE-2018-13006.patch: fixed 2 possible
+      heap overflows
+    - debian/patches/CVE-2018-20760.patch: check error code on call to
+      gf_utf8_wcstombs
+    - debian/patches/CVE-2018-20761-CVE-2018-20762.patch: fix some overflows
+      due to strcpy
+    - debian/patches/CVE-2018-20763.patch: add some boundary checks on
+      gf_text_get_utf8_line
+    - CVE-2018-7752
+    - CVE-2018-13005
+    - CVE-2018-13006
+    - CVE-2018-20760
+    - CVE-2018-20761
+    - CVE-2018-20762
+    - CVE-2018-20763
+    - CVE-2018-1000100
+
+ -- Paulo Flabiano Smorigo <pfsmorigo@canonical.com>  Wed, 20 Mar 2019 17:19:22 -0300
+
 gpac (0.5.2-426-gc5ad4e4+dfsg5-1build1) wily; urgency=medium
 
   * No-change rebuild against ffmpeg 2.7
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/control gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/control
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/control	2015-07-08 13:47:09.000000000 +0000
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/control	2019-03-20 17:49:02.000000000 +0000
@@ -1,7 +1,8 @@
 Source: gpac
 Section: graphics
 Priority: optional
-Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
 Uploaders:
  Reinhard Tartler <siretart@tauware.de>,
  Alessio Treglia <alessio@debian.org>,
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-13005-CVE-2018-13006.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-13005-CVE-2018-13006.patch
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-13005-CVE-2018-13006.patch	1970-01-01 00:00:00.000000000 +0000
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-13005-CVE-2018-13006.patch	2019-03-19 15:35:32.000000000 +0000
@@ -0,0 +1,44 @@
+From bceb03fd2be95097a7b409ea59914f332fb6bc86 Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Thu, 28 Jun 2018 13:34:08 +0200
+Subject: [PATCH] fixed 2 possible heap overflows (inc. #1088)
+
+---
+ include/gpac/internal/isomedia_dev.h |  2 +-
+ src/isomedia/box_code_base.c         |  2 +-
+ src/isomedia/box_dump.c              | 14 +++++++-------
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/include/gpac/internal/isomedia_dev.h
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/include/gpac/internal/isomedia_dev.h
+@@ -2988,7 +2988,7 @@ GF_GenericSubtitleSample *gf_isom_parse_
+ 		char __ptype[5];\
+ 		strcpy(__ptype, gf_4cc_to_str(__parent->type) );\
+ 		GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[iso file] extra box %s found in %s, deleting\n", gf_4cc_to_str(__abox->type), __ptype)); \
+-		gf_isom_box_del(a);\
++		gf_isom_box_del(__abox);\
+ 		return GF_OK;\
+ 	}
+ 
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/isomedia/box_code_base.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/isomedia/box_code_base.c
+@@ -619,7 +619,7 @@ GF_Err urn_Read(GF_Box *s, GF_BitStream
+ 
+ 	//then get the break
+ 	i = 0;
+-	while ( (tmpName[i] != 0) && (i < to_read) ) {
++	while ( (i < to_read) && (tmpName[i] != 0) ) {
+ 		i++;
+ 	}
+ 	//check the data is consistent
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/isomedia/box_dump.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/isomedia/box_dump.c
+@@ -988,7 +988,7 @@ GF_Err dpin_dump(GF_Box *a, FILE * trace
+ GF_Err hdlr_dump(GF_Box *a, FILE * trace)
+ {
+ 	GF_HandlerBox *p = (GF_HandlerBox *)a;
+-	if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8+1)) {
++	if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8)-1) {
+ 		fprintf(trace, "<HandlerBox Type=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8+1);
+ 	} else {
+ 		fprintf(trace, "<HandlerBox Type=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8);
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20760.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20760.patch
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20760.patch	1970-01-01 00:00:00.000000000 +0000
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20760.patch	2019-03-19 15:36:21.000000000 +0000
@@ -0,0 +1,20 @@
+From 4c1360818fc8948e9307059fba4dc47ba8ad255d Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Thu, 13 Dec 2018 14:39:21 +0100
+Subject: [PATCH] check error code on call to gf_utf8_wcstombs (#1177)
+
+---
+ src/media_tools/text_import.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/media_tools/text_import.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/media_tools/text_import.c
+@@ -259,6 +259,8 @@ char *gf_text_get_utf8_line(char *szLine
+ 	}
+ 	sptr = (u16 *)szLine;
+ 	i = (u32) gf_utf8_wcstombs(szLineConv, 1024, (const unsigned short **) &sptr);
++	if (i >= (u32)ARRAY_LENGTH(szLineConv))
++		return NULL;
+ 	szLineConv[i] = 0;
+ 	strcpy(szLine, szLineConv);
+ 	/*this is ugly indeed: since input is UTF16-LE, there are many chances the fgets never reads the \0 after a \n*/
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20761-CVE-2018-20762.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20761-CVE-2018-20762.patch
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20761-CVE-2018-20762.patch	1970-01-01 00:00:00.000000000 +0000
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20761-CVE-2018-20762.patch	2019-03-19 15:40:03.000000000 +0000
@@ -0,0 +1,153 @@
+From 35ab4475a7df9b2a4bcab235e379c0c3ec543658 Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Fri, 11 Jan 2019 11:32:54 +0100
+Subject: [PATCH] fix some overflows due to strcpy
+
+fixes #1184, #1186, #1187 among other things
+---
+ applications/mp4box/fileimport.c  | 20 +++++++++++++++++++
+ applications/mp4client/main.c     | 33 +++++++++++++++++++++++++++----
+ modules/ffmpeg_in/ffmpeg_demux.c  |  7 +++++--
+ src/scene_manager/scene_manager.c |  4 ++++
+ 4 files changed, 58 insertions(+), 6 deletions(-)
+
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/applications/mp4box/fileimport.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/applications/mp4box/fileimport.c
+@@ -2119,17 +2119,33 @@ GF_Err cat_multiple_files(GF_ISOFile *de
+ 	cat_enum.align_timelines = align_timelines;
+ 	cat_enum.allow_add_in_command = allow_add_in_command;
+ 
++	if (strlen(fileName) >= sizeof(cat_enum.szPath)) {
++		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName));
++		return GF_NOT_SUPPORTED;
++	}
+ 	strcpy(cat_enum.szPath, fileName);
+ 	sep = strrchr(cat_enum.szPath, GF_PATH_SEPARATOR);
+ 	if (!sep) sep = strrchr(cat_enum.szPath, '/');
+ 	if (!sep) {
+ 		strcpy(cat_enum.szPath, ".");
++		if (strlen(fileName) >= sizeof(cat_enum.szRad1)) {
++			GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName));
++			return GF_NOT_SUPPORTED;
++		}
+ 		strcpy(cat_enum.szRad1, fileName);
+ 	} else {
++		if (strlen(sep + 1) >= sizeof(cat_enum.szRad1)) {
++			GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1)));
++			return GF_NOT_SUPPORTED;
++		}
+ 		strcpy(cat_enum.szRad1, sep+1);
+ 		sep[0] = 0;
+ 	}
+ 	sep = strchr(cat_enum.szRad1, '*');
++	if (strlen(sep + 1) >= sizeof(cat_enum.szRad2)) {
++		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1)));
++		return GF_NOT_SUPPORTED;
++	}
+ 	strcpy(cat_enum.szRad2, sep+1);
+ 	sep[0] = 0;
+ 	sep = strchr(cat_enum.szRad2, '%');
+@@ -2137,6 +2153,10 @@ GF_Err cat_multiple_files(GF_ISOFile *de
+ 	if (!sep) sep = strchr(cat_enum.szRad2, ':');
+ 	strcpy(cat_enum.szOpt, "");
+ 	if (sep) {
++		if (strlen(sep) >= sizeof(cat_enum.szOpt)) {
++			GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("Invalid option: %s.\n", sep));
++			return GF_NOT_SUPPORTED;
++		}
+ 		strcpy(cat_enum.szOpt, sep);
+ 		sep[0] = 0;
+ 	}
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/applications/mp4client/main.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/applications/mp4client/main.c
+@@ -885,7 +885,8 @@ Bool GPAC_EventProc(void *ptr, GF_Event
+ 		break;
+ 	case GF_EVENT_NAVIGATE:
+ 		if (gf_term_is_supported_url(term, evt->navigate.to_url, 1, no_mime_check)) {
+-			strcpy(the_url, evt->navigate.to_url);
++			strncpy(the_url, evt->navigate.to_url, sizeof(the_url)-1);
++			the_url[sizeof(the_url) - 1] = 0;
+ 			fprintf(stderr, "Navigating to URL %s\n", the_url);
+ 			gf_term_navigate_to(term, evt->navigate.to_url);
+ 			return 1;
+@@ -1534,7 +1535,14 @@ int main (int argc, char **argv)
+ 	else if (!gui_mode && url_arg) {
+ 		char *ext;
+ 
+-		strcpy(the_url, url_arg);
++		if (strlen(url_arg) >= sizeof(the_url)) {
++			fprintf(stderr, "Input url %s is too long, truncating to %d chars.\n", url_arg, (int)(sizeof(the_url) - 1));
++			strncpy(the_url, url_arg, sizeof(the_url)-1);
++			the_url[sizeof(the_url) - 1] = 0;
++		}
++		else {
++			strcpy(the_url, url_arg);
++		}
+ 		ext = strrchr(the_url, '.');
+ 		if (ext && (!stricmp(ext, ".m3u") || !stricmp(ext, ".pls"))) {
+ 			GF_Err e = GF_OK;
+@@ -1546,7 +1554,10 @@ int main (int argc, char **argv)
+ 				GF_DownloadSession *sess = gf_dm_sess_new(term->downloader, the_url, GF_NETIO_SESSION_NOT_THREADED, NULL, NULL, &e);
+ 				if (sess) {
+ 					e = gf_dm_sess_process(sess);
+-					if (!e) strcpy(the_url, gf_dm_sess_get_cache_name(sess));
++					if (!e) {
++						strncpy(the_url, gf_dm_sess_get_cache_name(sess), sizeof(the_url) - 1);
++						the_url[sizeof(the_cfg) - 1] = 0;
++					}
+ 					gf_dm_sess_del(sess);
+ 				}
+ 			}
+@@ -1574,7 +1585,8 @@ int main (int argc, char **argv)
+ 		fprintf(stderr, "Hit 'h' for help\n\n");
+ 		str = gf_cfg_get_key(cfg_file, "General", "StartupFile");
+ 		if (str) {
+-			strcpy(the_url, "MP4Client "GPAC_FULL_VERSION);
++			strncpy(the_url, "MP4Client "GPAC_FULL_VERSION , sizeof(the_url)-1);
++			the_url[sizeof(the_url) - 1] = 0;
+ 			gf_term_connect(term, str);
+ 			startup_file = 1;
+ 			is_connected = 1;
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/modules/ffmpeg_in/ffmpeg_demux.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/modules/ffmpeg_in/ffmpeg_demux.c
+@@ -227,7 +227,7 @@ static Bool FFD_CanHandleURL(GF_InputSer
+ 	AVFormatContext *ctx;
+ 	AVOutputFormat *fmt_out;
+ 	Bool ret = 0;
+-	char *ext, szName[1000], szExt[20];
++	char *ext, szName[1024], szExt[20];
+ 	const char *szExtList;
+ 	FFDemux *ffd;
+ 	if (!plug || !url)
+@@ -243,6 +243,9 @@ static Bool FFD_CanHandleURL(GF_InputSer
+ 
+ 	ffd = plug->priv;
+ 
++	if (strlen(url) >= sizeof(szName))
++		return GF_FALSE;
++
+ 	strcpy(szName, url);
+ 	ext = strrchr(szName, '#');
+ 	if (ext) ext[0] = 0;
+@@ -252,7 +255,7 @@ static Bool FFD_CanHandleURL(GF_InputSer
+ 	ext = strrchr(szName, '.');
+ 	if (ext && strlen(ext) > 19) ext = NULL;
+ 
+-	if (ext && strlen(ext) > 1) {
++	if (ext && strlen(ext) > 1 && strlen(ext) <= sizeof(szExt)) {
+ 		strcpy(szExt, &ext[1]);
+ 		strlwr(szExt);
+ #ifndef FFMPEG_DEMUX_ENABLE_MPEG2TS
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/scene_manager/scene_manager.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/scene_manager/scene_manager.c
+@@ -642,6 +642,10 @@ GF_Err gf_sm_load_init(GF_SceneLoader *l
+ 				ext[0] = '.';
+ 				ext = anext;
+ 			}
++			if (strlen(ext) < 2 || strlen(ext) > sizeof(szExt)) {
++				GF_LOG(GF_LOG_ERROR, GF_LOG_SCENE, ("[Scene Manager] invalid extension in file name %s\n", load->fileName));
++				return GF_NOT_SUPPORTED;
++			}
+ 			strcpy(szExt, &ext[1]);
+ 			strlwr(szExt);
+ 			if (strstr(szExt, "bt")) load->type = GF_SM_LOAD_BT;
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20763.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20763.patch
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20763.patch	1970-01-01 00:00:00.000000000 +0000
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20763.patch	2019-03-19 15:42:04.000000000 +0000
@@ -0,0 +1,125 @@
+From 1c449a34fe0b50aaffb881bfb9d7c5ab0bb18cdd Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Fri, 11 Jan 2019 14:05:16 +0100
+Subject: [PATCH] add some boundary checks on gf_text_get_utf8_line (#1188)
+
+---
+ applications/mp4client/main.c |  2 +-
+ src/media_tools/text_import.c | 77 +++++++++++++++++++++++------------
+ 2 files changed, 53 insertions(+), 26 deletions(-)
+
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/applications/mp4client/main.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/applications/mp4client/main.c
+@@ -1556,7 +1556,7 @@ int main (int argc, char **argv)
+ 					e = gf_dm_sess_process(sess);
+ 					if (!e) {
+ 						strncpy(the_url, gf_dm_sess_get_cache_name(sess), sizeof(the_url) - 1);
+-						the_url[sizeof(the_cfg) - 1] = 0;
++						the_url[sizeof(the_url) - 1] = 0;
+ 					}
+ 					gf_dm_sess_del(sess);
+ 				}
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/media_tools/text_import.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/media_tools/text_import.c
+@@ -195,49 +195,76 @@ char *gf_text_get_utf8_line(char *szLine
+ 	if (unicode_type<=1) {
+ 		j=0;
+ 		len = (u32) strlen(szLine);
+-		for (i=0; i<len; i++) {
++		for (i=0; i<len && j < sizeof(szLineConv) - 1; i++, j++) {
++
+ 			if (!unicode_type && (szLine[i] & 0x80)) {
+ 				/*non UTF8 (likely some win-CP)*/
+ 				if ((szLine[i+1] & 0xc0) != 0x80) {
+-					szLineConv[j] = 0xc0 | ( (szLine[i] >> 6) & 0x3 );
+-					j++;
+-					szLine[i] &= 0xbf;
++					if (j + 1 < sizeof(szLineConv) - 1) {
++						szLineConv[j] = 0xc0 | ((szLine[i] >> 6) & 0x3);
++						j++;
++						szLine[i] &= 0xbf;
++					}
++					else
++						break;
+ 				}
+ 				/*UTF8 2 bytes char*/
+ 				else if ( (szLine[i] & 0xe0) == 0xc0) {
+-					szLineConv[j] = szLine[i];
+-					i++;
+-					j++;
++
++					// don't cut multibyte in the middle in there is no more room in dest
++					if (j + 1 < sizeof(szLineConv) - 1 && i + 1 < len) {
++						szLineConv[j] = szLine[i];
++						i++;
++						j++;
++					}
++					else {
++						break;
++					}
+ 				}
+ 				/*UTF8 3 bytes char*/
+ 				else if ( (szLine[i] & 0xf0) == 0xe0) {
+-					szLineConv[j] = szLine[i];
+-					i++;
+-					j++;
+-					szLineConv[j] = szLine[i];
+-					i++;
+-					j++;
++					if (j + 2 < sizeof(szLineConv) - 1 && i + 2 < len) {
++						szLineConv[j] = szLine[i];
++						i++;
++						j++;
++						szLineConv[j] = szLine[i];
++						i++;
++						j++;
++					}
++					else {
++						break;
++					}
+ 				}
+ 				/*UTF8 4 bytes char*/
+ 				else if ( (szLine[i] & 0xf8) == 0xf0) {
+-					szLineConv[j] = szLine[i];
+-					i++;
+-					j++;
+-					szLineConv[j] = szLine[i];
+-					i++;
+-					j++;
+-					szLineConv[j] = szLine[i];
+-					i++;
+-					j++;
++					if (j + 3 < sizeof(szLineConv) - 1 && i + 3 < len) {
++						szLineConv[j] = szLine[i];
++						i++;
++						j++;
++						szLineConv[j] = szLine[i];
++						i++;
++						j++;
++						szLineConv[j] = szLine[i];
++						i++;
++						j++;
++					}
++					else {
++						break;
++					}
+ 				} else {
+ 					i+=1;
+ 					continue;
+ 				}
+ 			}
+-			szLineConv[j] = szLine[i];
+-			j++;
++			if (j < sizeof(szLineConv)-1 && i<len)
++				szLineConv[j] = szLine[i];
++
+ 		}
+-		szLineConv[j] = 0;
++		if (j >= sizeof(szLineConv))
++			szLineConv[sizeof(szLineConv) - 1] = 0;
++		else
++			szLineConv[j] = 0;
++
+ 		strcpy(szLine, szLineConv);
+ 		return sOK;
+ 	}
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-7752-CVE-2018-1000100.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-7752-CVE-2018-1000100.patch
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-7752-CVE-2018-1000100.patch	1970-01-01 00:00:00.000000000 +0000
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-7752-CVE-2018-1000100.patch	2019-03-19 15:35:03.000000000 +0000
@@ -0,0 +1,34 @@
+From 90dc7f853d31b0a4e9441cba97feccf36d8b69a4 Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Tue, 6 Mar 2018 11:23:31 +0100
+Subject: [PATCH] fix some exploitable overflows (#994, #997)
+
+---
+ include/gpac/tools.h         | 1 +
+ src/isomedia/avc_ext.c       | 2 ++
+ src/media_tools/av_parsers.c | 4 ++++
+ 3 files changed, 7 insertions(+)
+
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/include/gpac/tools.h
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/include/gpac/tools.h
+@@ -999,6 +999,7 @@ void gf_fm_request_call(u32 type, u32 pa
+ }
+ #endif
+ 
++#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0]))
+ 
+ #endif		/*_GF_CORE_H_*/
+ 
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/media_tools/av_parsers.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/media_tools/av_parsers.c
+@@ -2160,6 +2160,10 @@ s32 gf_media_avc_read_sps(const char *sp
+ 		sps->offset_for_non_ref_pic = bs_get_se(bs);
+ 		sps->offset_for_top_to_bottom_field = bs_get_se(bs);
+ 		sps->poc_cycle_length = bs_get_ue(bs);
++		if (sps->poc_cycle_length > ARRAY_LENGTH(sps->offset_for_ref_frame)) {
++			GF_LOG(GF_LOG_ERROR, GF_LOG_CODING, ("[avc-h264] offset_for_ref_frame overflow from poc_cycle_length\n"));
++			goto exit;
++		}
+ 		for(i=0; i<sps->poc_cycle_length; i++) sps->offset_for_ref_frame[i] = bs_get_se(bs);
+ 	}
+ 	if (sps->poc_type > 2) {
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series	2015-07-08 11:18:43.000000000 +0000
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series	2019-03-19 15:42:04.000000000 +0000
@@ -4,3 +4,8 @@
 export_gf_isom_set_pixel_aspect_ratio.patch
 dont-err-build-on-uknown-system.patch
 skip-swf-test.patch
+CVE-2018-7752-CVE-2018-1000100.patch
+CVE-2018-13005-CVE-2018-13006.patch
+CVE-2018-20760.patch
+CVE-2018-20761-CVE-2018-20762.patch
+CVE-2018-20763.patch