diff -Nru libwmf-0.2.8.4/debian/changelog libwmf-0.2.8.4/debian/changelog
--- libwmf-0.2.8.4/debian/changelog	2016-04-25 16:20:23.000000000 +0000
+++ libwmf-0.2.8.4/debian/changelog	2017-03-28 15:37:26.000000000 +0000
@@ -1,3 +1,17 @@
+libwmf (0.2.8.4-10.6ubuntu1) zesty; urgency=low
+
+  * Merge from Debian unstable.  Remaining changes:
+    - Split out GTK plugin into separate package.
+
+ -- Balint Reczey <rbalint@ubuntu.com>  Tue, 28 Mar 2017 15:37:26 +0000
+
+libwmf (0.2.8.4-10.6) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix allocating huge block of memory (CVE-2016-9011) (Closes: #842090)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Mon, 31 Oct 2016 20:29:09 +0100
+
 libwmf (0.2.8.4-10.5ubuntu2) yakkety; urgency=medium
 
   * No-change rebuild for libpng soname change.
@@ -534,3 +548,4 @@
   * New package.
 
  -- Matej Vela <vela@debian.org>  Sat,  8 May 1999 22:23:58 +0200
+
diff -Nru libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch
--- libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch	1970-01-01 00:00:00.000000000 +0000
+++ libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch	2016-10-31 19:26:50.000000000 +0000
@@ -0,0 +1,34 @@
+--- ./src/player.c.orig	2016-10-27 23:17:53.076604344 +0200
++++ ./src/player.c	2016-10-27 23:20:15.271078052 +0200
+@@ -140,7 +140,30 @@
+ 		return (API->err);
+ 	}
+ 
+- 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++	U32 nMaxRecordSize = (MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char);
++	if (nMaxRecordSize)
++	{
++		//before allocating memory do a sanity check on size by seeking
++		//to claimed end to see if its possible. We're constrained here
++		//by the api and existing implementations to not simply seeking
++		//to SEEK_END. So use what we have to skip to the last byte and
++		//try and read it.
++		const long nPos = WMF_TELL (API);
++		WMF_SEEK (API, nPos + nMaxRecordSize - 1);
++		if (ERR (API))
++		{	WMF_DEBUG (API,"bailing...");
++			return (API->err);
++		}
++		int byte = WMF_READ (API);
++		if (byte == (-1))
++		{	WMF_ERROR (API,"Unexpected EOF!");
++		       	API->err = wmf_E_EOF;
++		       	return (API->err);
++		}
++		WMF_SEEK (API, nPos);
++	}
++
++ 	P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");
diff -Nru libwmf-0.2.8.4/debian/patches/series libwmf-0.2.8.4/debian/patches/series
--- libwmf-0.2.8.4/debian/patches/series	2015-07-31 07:58:05.000000000 +0000
+++ libwmf-0.2.8.4/debian/patches/series	2016-11-12 16:13:02.000000000 +0000
@@ -4,3 +4,4 @@
 04_gd-gd_clip.c-use-after-free-cve-2009-1364.patch
 05_gdk-pixbuf-loader-dir.patch
 CVE-2015-0848_CVE-2015-4588_CVE-2015-4695_CVE-2015-4696.patch
+CVE-2016-9011.patch