diff --git a/texlive-CVE-2010-0739,1440-integer-overflows.patch b/texlive-CVE-2010-0739,1440-integer-overflows.patch
new file mode 100644
index 0000000..93b5e69
--- /dev/null
+++ b/texlive-CVE-2010-0739,1440-integer-overflows.patch
@@ -0,0 +1,29 @@
+diff -up texlive-2007/texk/dvipsk/dospecial.c.CVE-2010-0739,1440 texlive-2007/texk/dvipsk/dospecial.c
+--- texlive-2007/texk/dvipsk/dospecial.c.CVE-2010-0739,1440	2006-12-07 23:39:19.000000000 +0100
++++ texlive-2007/texk/dvipsk/dospecial.c	2010-05-09 10:35:33.724632292 +0200
+@@ -325,7 +325,11 @@ void predospecial P2C(integer, numbytes,
+    int j ;
+    static int omega_specials = 0;
+ 
+-   if (nextstring + numbytes > maxstring) {
++   if (numbytes < 0 || numbytes > maxstring - nextstring) {
++      if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2) {
++         error("! Integer overflow in predospecial");
++         exit(1);
++      }
+       p = nextstring = mymalloc(1000 + 2 * numbytes) ;
+       maxstring = nextstring + 2 * numbytes + 700 ;
+    }
+@@ -903,7 +907,11 @@ float *bbdospecial P1C(int, nbytes)
+    char seen[NKEYS] ;
+    float valseen[NKEYS] ;
+ 
+-   if (nextstring + nbytes > maxstring) {
++   if (nbytes < 0 || nbytes > maxstring - nextstring) {
++      if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2) {
++         error("! Integer overflow in bbdospecial");
++         exit(1);
++      }
+       p = nextstring = mymalloc(1000 + 2 * nbytes) ;
+       maxstring = nextstring + 2 * nbytes + 700 ;
+    }
diff --git a/texlive.spec b/texlive.spec
index f04363c..2eb2579 100644
--- a/texlive.spec
+++ b/texlive.spec
@@ -21,7 +21,7 @@
 
 Name:		texlive
 Version:	%{texlive_ver}
-Release:	50%{?dist}
+Release:	51%{?dist}
 Summary:	Binaries for the TeX formatting system
 
 Group:		Applications/Publishing
@@ -79,6 +79,7 @@ Patch32:	texlive-getline.patch
 Patch33:	texlive-poolfix.patch
 Patch34:	texlive-dvipsconfig.patch
 Patch35:	texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch
+Patch36:	texlive-CVE-2010-0739,1440-integer-overflows.patch
 
 ######
 # mpeters contributed patches
@@ -413,6 +414,7 @@ chmod -x texk/dvipdfm/encodings.c
 %patch33 -p1 -b .poolfix
 %patch34 -p1 -b .dvipsconfig
 %patch35 -p1 -b .CVE-2010-0829
+%patch36 -p1 -b .CVE-2010-0739,1440
 
 # fix non utf man pages
 %patch42 -p1 -b .notutf8-2
@@ -1253,6 +1255,9 @@ fi
 %{_mandir}/man1/texutil.1*
 
 %changelog
+* Mon May 10 2010 Jindrich Novy <jnovy@redhat.com> 2007-51
+- fix CVE-2010-0739 and CVE-2010-1440 (#584795)
+
 * Fri May 07 2010 Jindrich Novy <jnovy@redhat.com> 2007-50
 - fix CVE-2010-0829 (#589607)