diff --git a/0001-Resolves-ofz-313-cbBmiSrc-getDIBV5HeaderSize.patch b/0001-Resolves-ofz-313-cbBmiSrc-getDIBV5HeaderSize.patch
new file mode 100644
index 0000000..4ac95f0
--- /dev/null
+++ b/0001-Resolves-ofz-313-cbBmiSrc-getDIBV5HeaderSize.patch
@@ -0,0 +1,57 @@
+From f84516a348ea8e05bbf89816505a6041e711ebfd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Thu, 22 Dec 2016 13:35:31 +0000
+Subject: [PATCH] Resolves: ofz#313 cbBmiSrc > getDIBV5HeaderSize
+
+Change-Id: I67fb67dc0a4cb609b8f1391c1eb6dd395755a933
+(cherry picked from commit 7485fc2a1484f31631f62f97e5c64c0ae74c6416)
+(cherry picked from commit 371f0f6770add78ae81e0f769d0490874bca353c)
+Reviewed-on: https://gerrit.libreoffice.org/32338
+Tested-by: Jenkins <ci@libreoffice.org>
+Reviewed-by: Michael Stahl <mstahl@redhat.com>
+---
+ vcl/source/filter/wmf/enhwmf.cxx | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/vcl/source/filter/wmf/enhwmf.cxx b/vcl/source/filter/wmf/enhwmf.cxx
+index ebb42cf..9faca40 100644
+--- a/vcl/source/filter/wmf/enhwmf.cxx
++++ b/vcl/source/filter/wmf/enhwmf.cxx
+@@ -1252,13 +1252,22 @@ bool EnhWMFReader::ReadEnhWMF()
+                     else
+                     {
+                         const sal_uInt32 nSourceSize = cbBmiSrc + cbBitsSrc + 14;
+-                        if ( nSourceSize <= ( nEndPos - nStartPos ) )
++                        bool bSafeRead = nSourceSize <= (nEndPos - nStartPos);
++                        sal_uInt32 nDeltaToDIB5HeaderSize(0);
++                        const bool bReadAlpha(0x01 == aFunc.aAlphaFormat);
++                        if (bSafeRead && bReadAlpha)
+                         {
+                             // we need to read alpha channel data if AlphaFormat of BLENDFUNCTION is
+                             // AC_SRC_ALPHA (==0x01). To read it, create a temp DIB-File which is ready
+                             // for DIB-5 format
+-                            const bool bReadAlpha(0x01 == aFunc.aAlphaFormat);
+-                            const sal_uInt32 nDeltaToDIB5HeaderSize(bReadAlpha ? getDIBV5HeaderSize() - cbBmiSrc : 0);
++                            const sal_uInt32 nHeaderSize = getDIBV5HeaderSize();
++                            if (cbBmiSrc > nHeaderSize)
++                                bSafeRead = false;
++                            else
++                                nDeltaToDIB5HeaderSize = nHeaderSize - cbBmiSrc;
++                        }
++                        if (bSafeRead)
++                        {
+                             const sal_uInt32 nTargetSize(cbBmiSrc + nDeltaToDIB5HeaderSize + cbBitsSrc + 14);
+                             char* pBuf = new char[ nTargetSize ];
+                             SvMemoryStream aTmp( pBuf, nTargetSize, StreamMode::READ | StreamMode::WRITE );
+@@ -1277,7 +1286,7 @@ bool EnhWMFReader::ReadEnhWMF()
+                             pWMF->Seek( nStart + offBmiSrc );
+                             pWMF->Read( pBuf + 14, cbBmiSrc );
+ 
+-                            if(bReadAlpha)
++                            if (bReadAlpha)
+                             {
+                                 // need to add values for all stuff that DIBV5Header is bigger
+                                 // than DIBInfoHeader, all values are correctly initialized to zero,
+-- 
+2.9.3
+
diff --git a/0001-ofz-372-check-if-ImplSplit-succeeded.patch b/0001-ofz-372-check-if-ImplSplit-succeeded.patch
new file mode 100644
index 0000000..143f6d3
--- /dev/null
+++ b/0001-ofz-372-check-if-ImplSplit-succeeded.patch
@@ -0,0 +1,73 @@
+From 9f1f5126381069e198fbfa3e71beedfbf6b6d300 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 2 Jan 2017 11:53:31 +0000
+Subject: [PATCH] ofz#372 check if ImplSplit succeeded
+
+(cherry picked from commit 62a97e6a561ce65e88d4c537a1b82c336f012722)
+(cherry picked from commit 6431e2bff67e81b4aff4e3b52e67903e1cd566f3)
+
+Change-Id: I1e34295fe3ee5f77e787f583616d52fa92a0eca4
+Reviewed-on: https://gerrit.libreoffice.org/32640
+Tested-by: Jenkins <ci@libreoffice.org>
+Reviewed-by: Markus Mohrhard <markus.mohrhard@googlemail.com>
+---
+ tools/inc/poly.h              |  2 +-
+ tools/source/generic/poly.cxx | 12 +++++++++---
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/tools/inc/poly.h b/tools/inc/poly.h
+index f15f01f..3269efe 100644
+--- a/tools/inc/poly.h
++++ b/tools/inc/poly.h
+@@ -42,7 +42,7 @@ public:
+ 
+     void            ImplSetSize( sal_uInt16 nSize, bool bResize = true );
+     void            ImplCreateFlagArray();
+-    void            ImplSplit( sal_uInt16 nPos, sal_uInt16 nSpace, ImplPolygon* pInitPoly = NULL );
++    bool            ImplSplit( sal_uInt16 nPos, sal_uInt16 nSpace, ImplPolygon* pInitPoly = NULL );
+ };
+ 
+ #define MAX_POLYGONS        ((sal_uInt16)0x3FF0)
+diff --git a/tools/source/generic/poly.cxx b/tools/source/generic/poly.cxx
+index ada7051..9919573 100644
+--- a/tools/source/generic/poly.cxx
++++ b/tools/source/generic/poly.cxx
+@@ -213,11 +213,14 @@ void ImplPolygon::ImplSetSize( sal_uInt16 nNewSize, bool bResize )
+     mnPoints   = nNewSize;
+ }
+ 
+-void ImplPolygon::ImplSplit( sal_uInt16 nPos, sal_uInt16 nSpace, ImplPolygon* pInitPoly )
++bool ImplPolygon::ImplSplit( sal_uInt16 nPos, sal_uInt16 nSpace, ImplPolygon* pInitPoly )
+ {
+     //Can't fit this in :-(, throw ?
+     if (mnPoints + nSpace > USHRT_MAX)
+-        return;
++    {
++        SAL_WARN("tools", "Polygon needs " << mnPoints + nSpace << " points, but only " << USHRT_MAX << " possible");
++        return false;
++    }
+ 
+     const sal_uInt16    nNewSize = mnPoints + nSpace;
+     const std::size_t   nSpaceSize = static_cast<std::size_t>(nSpace) * sizeof(Point);
+@@ -273,6 +276,8 @@ void ImplPolygon::ImplSplit( sal_uInt16 nPos, sal_uInt16 nSpace, ImplPolygon* pI
+         mpPointAry = pNewAry;
+         mnPoints   = nNewSize;
+     }
++
++    return true;
+ }
+ 
+ void ImplPolygon::ImplCreateFlagArray()
+@@ -1445,7 +1450,8 @@ void Polygon::Insert( sal_uInt16 nPos, const Point& rPt, PolyFlags eFlags )
+     if( nPos >= mpImplPolygon->mnPoints )
+         nPos = mpImplPolygon->mnPoints;
+ 
+-    mpImplPolygon->ImplSplit( nPos, 1 );
++    if (!mpImplPolygon->ImplSplit(nPos, 1))
++        return;
+     mpImplPolygon->mpPointAry[ nPos ] = rPt;
+ 
+     if( POLY_NORMAL != eFlags )
+-- 
+2.9.3
+
diff --git a/libreoffice.spec b/libreoffice.spec
index 40a45ea..b902f31 100644
--- a/libreoffice.spec
+++ b/libreoffice.spec
@@ -312,6 +312,8 @@ Patch71: 0001-Resolves-tdf-103493-copying-note-captions-needs-a-co.patch
 Patch72: 0001-Resolves-tdf-105968-handle-engineering-notation-roun.patch
 Patch73: 0001-writerfilter-DOCX-import-fix-handling-of-w-hideMark-.patch
 Patch74: 0001-rhbz-1438179-sw-fix-toolbar-Next-Track-Change-Previo.patch
+Patch75: 0001-ofz-372-check-if-ImplSplit-succeeded.patch
+Patch76: 0001-Resolves-ofz-313-cbBmiSrc-getDIBV5HeaderSize.patch
 
 %if ! 0%{?rhel}
 Patch400: 0001-Update-liborcus-to-0.11.0.patch
@@ -2400,7 +2402,9 @@ done
 %endif
 
 %changelog
-* Thu Feb 16 2017 Eike Rathke <erack@redhat.com> - 1:5.1.6.2-8.UNBUILT
+* Fri Apr 21 2017 Caolán McNamara <caolanm@redhat.com> - 1:5.1.6.2-8
+- CVE-2017-7870 Heap-buffer-overflow in WMF filter
+- CVE-2016-10327 Heap-buffer-overflow in EMF filter
 - Resolves: DOCX import w:hideMark vs. w:vMerge table layout
 - Resolves: rhbz#1438179 Writer change tracking toolbar navigation