diff --git a/gdb-6.5-dwarf-stack-overflow.patch b/gdb-6.5-dwarf-stack-overflow.patch
index b19d2cd..9680d28 100644
--- a/gdb-6.5-dwarf-stack-overflow.patch
+++ b/gdb-6.5-dwarf-stack-overflow.patch
@@ -1,49 +1,89 @@
 for gdb/ChangeLog:
-2006-08-14  Will Drewry <wad@google.com>
+2006-08-22  Will Drewry <wad@google.com>
+	    Tavis Ormandy <taviso@google.com>
 
-	* dwarf2read.c (decode_locdesc): Avoid overflows in expression
-	stack.
+	* dwarf2read.c (decode_locdesc): Enforce location description stack
+	boundaries.
 	* dwarfread.c (locval): Likewise.
 
 Index: gdb-6.5/gdb/dwarf2read.c
 ===================================================================
---- gdb-6.5.orig/gdb/dwarf2read.c	2006-08-23 04:12:09.000000000 -0300
-+++ gdb-6.5/gdb/dwarf2read.c	2006-08-23 04:16:17.000000000 -0300
-@@ -8864,6 +8864,16 @@ decode_locdesc (struct dwarf_block *blk,
+--- gdb-6.5.orig/gdb/dwarf2read.c	2006-09-04 02:02:23.000000000 -0300
++++ gdb-6.5/gdb/dwarf2read.c	2006-09-04 02:02:23.000000000 -0300
+@@ -8667,8 +8667,7 @@ dwarf2_fundamental_type (struct objfile 
+    callers will only want a very basic result and this can become a
+    complaint.
+ 
+-   Note that stack[0] is unused except as a default error return.
+-   Note that stack overflow is not yet handled.  */
++   Note that stack[0] is unused except as a default error return. */
+ 
+ static CORE_ADDR
+ decode_locdesc (struct dwarf_block *blk, struct dwarf2_cu *cu)
+@@ -8685,7 +8684,7 @@ decode_locdesc (struct dwarf_block *blk,
+ 
+   i = 0;
+   stacki = 0;
+-  stack[stacki] = 0;
++  stack[++stacki] = 0;
+ 
+   while (i < size)
+     {
+@@ -8864,6 +8863,16 @@ decode_locdesc (struct dwarf_block *blk,
  		     dwarf_stack_op_name (op));
  	  return (stack[stacki]);
  	}
-+
-+      /* Enforce maximum stack depth of 63 to avoid ++stacki writing
-+	 outside of the given size.  Also enforce minimum > 0.  */
-+      if (stacki >= sizeof(stack)/sizeof(*stack) - 1)
++      /* Enforce maximum stack depth of size-1 to avoid ++stacki writing
++         outside of the allocated space. Also enforce minimum > 0.
++         -- wad@google.com 14 Aug 2006 */
++      if (stacki >= sizeof (stack) / sizeof (*stack) - 1)
 +	internal_error (__FILE__, __LINE__,
-+			_("location description stack too deep: %d"),
-+			stacki);
++	                _("location description stack too deep: %d"),
++	                stacki);
 +      if (stacki <= 0)
 +	internal_error (__FILE__, __LINE__,
-+			_("location description stack too shallow"));
++	                _("location description stack too shallow"));
      }
    return (stack[stacki]);
  }
 Index: gdb-6.5/gdb/dwarfread.c
 ===================================================================
 --- gdb-6.5.orig/gdb/dwarfread.c	2005-12-17 20:33:59.000000000 -0200
-+++ gdb-6.5/gdb/dwarfread.c	2006-08-23 04:17:24.000000000 -0300
-@@ -2224,6 +2224,16 @@ locval (struct dieinfo *dip)
++++ gdb-6.5/gdb/dwarfread.c	2006-09-04 02:02:23.000000000 -0300
+@@ -2138,9 +2138,7 @@ decode_line_numbers (char *linetable)
+ 
+    NOTES
+ 
+-   Note that stack[0] is unused except as a default error return.
+-   Note that stack overflow is not yet handled.
+- */
++   Note that stack[0] is unused except as a default error return. */
+ 
+ static int
+ locval (struct dieinfo *dip)
+@@ -2160,7 +2158,7 @@ locval (struct dieinfo *dip)
+   loc += nbytes;
+   end = loc + locsize;
+   stacki = 0;
+-  stack[stacki] = 0;
++  stack[++stacki] = 0;
+   dip->isreg = 0;
+   dip->offreg = 0;
+   dip->optimized_out = 1;
+@@ -2224,6 +2222,16 @@ locval (struct dieinfo *dip)
  	  stacki--;
  	  break;
  	}
-+
-+      /* Enforce maximum stack depth of 63 to avoid ++stacki writing
-+	 outside of the given size.  Also enforce minimum > 0.  */
-+      if (stacki >= sizeof(stack)/sizeof(*stack) - 1)
++      /* Enforce maximum stack depth of size-1 to avoid ++stacki writing
++         outside of the allocated space. Also enforce minimum > 0.
++         -- wad@google.com 14 Aug 2006 */
++      if (stacki >= sizeof (stack) / sizeof (*stack) - 1)
 +	internal_error (__FILE__, __LINE__,
-+			_("location description stack too deep: %d"),
-+			stacki);
++	                _("location description stack too deep: %d"),
++	                stacki);
 +      if (stacki <= 0)
 +	internal_error (__FILE__, __LINE__,
-+			_("location description stack too shallow"));
++	                _("location description stack too shallow"));
      }
    return (stack[stacki]);
  }
diff --git a/gdb.spec b/gdb.spec
index 9a85b3c..5583c53 100644
--- a/gdb.spec
+++ b/gdb.spec
@@ -11,7 +11,7 @@ Name: gdb
 Version: 6.5
 
 # The release always contains a leading reserved number, start it at 0.
-Release: 6%{?dist}
+Release: 7%{?dist}
 
 License: GPL
 Group: Development/Debuggers
@@ -247,6 +247,7 @@ Patch188: gdb-6.5-bz203661-emit-relocs.patch
 Patch189: gdb-6.5-opcodes-i386-nopmem.patch
 
 # Security patch: avoid stack overflows in dwarf expression computation.
+# CVE-2006-4146
 Patch190: gdb-6.5-dwarf-stack-overflow.patch
 
 BuildRequires: ncurses-devel glibc-devel gcc make gzip texinfo dejagnu gettext
@@ -510,6 +511,9 @@ fi
 # don't include the files in include, they are part of binutils
 
 %changelog
+* Mon Sep  4 2006 Alexandre Oliva <aoliva@redhat.com> - 6.5-7
+- Fix bug in patch for CVE-2006-4146. (BZ 203873, BZ 203880)
+
 * Thu Aug 24 2006 Alexandre Oliva <aoliva@redhat.com> - 6.5-6
 - Avoid overflows and underflows in dwarf expression computation stack.
 (BZ 203873)