diff --git a/pl.spec b/pl.spec
index c38041b..8474858 100644
--- a/pl.spec
+++ b/pl.spec
@@ -6,7 +6,7 @@
 
 Name:       pl
 Version:    5.10.2
-Release:    4%{?dist}
+Release:    5%{?dist}
 
 Summary:    SWI-Prolog - Edinburgh compatible Prolog compiler
 
@@ -34,6 +34,10 @@ Patch6:     xpce-gif-CVE-2011-2896-part_1.patch
 Patch7:     xpce-gif-CVE-2011-2896-part_2.patch
 # Upstream bug #7, comment 4, will be in 5.10.5
 Patch8:     xpce-gif-CVE-2007-6697-like.patch
+# Upstream bug #9, will be in 5.10.6, rhbz#732952
+Patch9:     xpce-5.10.5-SECURITY-Bug-9-Loading-incomplete-GIF-files-causes-a.patch
+# Upstream bug #9, will be in 5.10.6, rhbz#732952
+Patch10:    xpce-5.10.5-SECURITY-Make-sure-all-pixels-are-within-the-allocat.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 # Base
@@ -148,6 +152,11 @@ cd packages/xpce
 %patch8 -p1 -b .CVE-2007-6697-like
 )
 (
+cd packages/xpce
+%patch9 -p1 -b .incomplete_gif
+%patch10 -p1 -b .validate_pixel_color
+)
+(
    cd src
    autoconf
 )
@@ -320,6 +329,10 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Wed Aug 24 2011 Petr Pisar <ppisar@redhat.com> - 5.10.2-5
+- Fix segfault in PutImagePixels32() while displaying malformed GIF (bug
+  #732952)
+
 * Fri Aug 19 2011 Petr Pisar <ppisar@redhat.com> - 5.10.2-4
 - Fix CVE-2011-2896 (David Koblas' GIF decoder LZW decoder buffer overflow)
   (bug #727800)
diff --git a/xpce-5.10.5-SECURITY-Bug-9-Loading-incomplete-GIF-files-causes-a.patch b/xpce-5.10.5-SECURITY-Bug-9-Loading-incomplete-GIF-files-causes-a.patch
new file mode 100644
index 0000000..7a55ca7
--- /dev/null
+++ b/xpce-5.10.5-SECURITY-Bug-9-Loading-incomplete-GIF-files-causes-a.patch
@@ -0,0 +1,60 @@
+From 797226335ec47573f80e84d0fbdf1536292868d0 Mon Sep 17 00:00:00 2001
+From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
+Date: Wed, 24 Aug 2011 14:08:17 +0200
+Subject: [PATCH 1/2] SECURITY: Bug#9: Loading incomplete GIF files causes an
+ invalid read. Petr Pisar.
+
+An incomplete image file causes part of the pixels to be uninitialised.
+As the pixels are entries in a colormap, this causes invalid reads.
+---
+ src/img/gifread.c |   19 ++++++++++++-------
+ 1 files changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/src/img/gifread.c b/src/img/gifread.c
+index 0e24e27..9c35f63 100644
+--- a/src/img/gifread.c
++++ b/src/img/gifread.c
+@@ -553,7 +553,9 @@ ReadImage(IOSTREAM *fd,
+   UCHAR c;
+   int color;
+   int xpos = 0, ypos = 0, pass = 0;
++  int lines = 0;
+   long curidx;
++  int last;
+ 
+   if ( !ReadOK(fd, &c, 1) || c > MAX_LZW_BITS )
+   { return GIF_INVALID;
+@@ -606,20 +608,23 @@ ReadImage(IOSTREAM *fd,
+ 	  }
+ 	}
+       } else
+-      {
+-	++ypos;
++      { ++ypos;
+       }
++      ++lines;
+     }
+     if (ypos >= height)
+-      break;
++      goto fini;
+   }
++  return GIF_INVALID;			/* short file */
+ 
+ fini:
++  if ( lines != height )
++    return GIF_INVALID;
+ 
+-  if (LZWReadByte(fd, FALSE, c) >= 0)
+-  {
++  if ( (last=LZWReadByte(fd, FALSE, c)) >= 0 )
++  { return GIF_OK;			/* end is 0x3B, but we only read the */
++  }					/* first image of animated GIFs */
+ 
+-  }
+-  return GIF_OK;
++  return GIF_INVALID;
+ }
+ 
+-- 
+1.7.6
+
diff --git a/xpce-5.10.5-SECURITY-Make-sure-all-pixels-are-within-the-allocat.patch b/xpce-5.10.5-SECURITY-Make-sure-all-pixels-are-within-the-allocat.patch
new file mode 100644
index 0000000..31dc43a
--- /dev/null
+++ b/xpce-5.10.5-SECURITY-Make-sure-all-pixels-are-within-the-allocat.patch
@@ -0,0 +1,61 @@
+From 4bc3a0a32132c04b11ad83f2b5847be83ab7364b Mon Sep 17 00:00:00 2001
+From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
+Date: Wed, 24 Aug 2011 14:40:31 +0200
+Subject: [PATCH 2/2] SECURITY: Make sure all pixels are within the allocated
+ colormap
+
+---
+ src/img/gifread.c |   10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/img/gifread.c b/src/img/gifread.c
+index 9c35f63..5d4755e 100644
+--- a/src/img/gifread.c
++++ b/src/img/gifread.c
+@@ -69,6 +69,7 @@ static int LZWReadByte (IOSTREAM *fd,int flag, int  input_code_size);
+ static int ReadImage(IOSTREAM *fd,
+ 		     PIXEL *bigMemBuf,
+ 		     int width, int height,
++		     int ncolors,
+ 		     int interlace);
+ 
+ 
+@@ -251,14 +252,14 @@ GIFReadFD(IOSTREAM *fd,
+ 	return rval;
+       }
+       /*read image */
+-      if ( (rval=ReadImage(fd, bigBuf, w, h,
++      if ( (rval=ReadImage(fd, bigBuf, w, h, bitPixel,
+ 			   BitSet((UCHAR) buf[8], INTERLACE))) != GIF_OK )
+       { setGifError("Error reading GIF file.  LocalColorMap. Giving up");
+ 	pceFree(bigBuf);
+ 	return rval;
+       }
+     } else
+-    { if ( (rval=ReadImage(fd, bigBuf, w, h,
++    { if ( (rval=ReadImage(fd, bigBuf, w, h, GifScreen.BitPixel,
+ 			   BitSet((UCHAR) buf[8], INTERLACE))) != GIF_OK )
+       { setGifError("Error reading GIF file.  GIFScreen Colormap.  Giving up");
+ 	pceFree(bigBuf);
+@@ -548,6 +549,7 @@ static int
+ ReadImage(IOSTREAM *fd,
+ 	  PIXEL *bigMemBuf,
+ 	  int width, int height,
++	  int ncolors,
+ 	  int interlace)
+ {
+   UCHAR c;
+@@ -567,6 +569,10 @@ ReadImage(IOSTREAM *fd,
+   {
+     curidx = (long) xpos + (long) ypos *(long) width; /* optimize */
+ 
++    if ( color >= ncolors )
++    { /*Cprintf("Color %d; ncolors = %d\n", color, ncolors);*/
++      return GIF_INVALID;
++    }
+     bigMemBuf[curidx] = color;
+ 
+     ++xpos;
+-- 
+1.7.6
+