diff --git a/tigervnc-passwd-crash-with-malloc-checks.patch b/tigervnc-passwd-crash-with-malloc-checks.patch
new file mode 100644
index 0000000..0874b54
--- /dev/null
+++ b/tigervnc-passwd-crash-with-malloc-checks.patch
@@ -0,0 +1,41 @@
+diff --git a/common/rfb/Password.cxx b/common/rfb/Password.cxx
+index 240c9d4..cf9362e 100644
+--- a/common/rfb/Password.cxx
++++ b/common/rfb/Password.cxx
+@@ -55,7 +55,7 @@ PlainPasswd::~PlainPasswd() {
+
+ void PlainPasswd::replaceBuf(char* b) {
+   if (buf)
+-    memset(buf, 0, strlen(buf));
++    memset(buf, 0, length ? length : strlen(buf));
+   CharArray::replaceBuf(b);
+ }
+
+diff --git a/common/rfb/util.h b/common/rfb/util.h
+index b678b89..fffe322 100644
+--- a/common/rfb/util.h
++++ b/common/rfb/util.h
+@@ -50,16 +50,21 @@ namespace rfb {
+     CharArray() : buf(0) {}
+     CharArray(char* str) : buf(str) {} // note: assumes ownership
+     CharArray(int len) {
++      length = len;
+       buf = new char[len];
+     }
+     ~CharArray() {
+-      delete [] buf;
++      if (buf) {
++        delete [] buf;
++        buf = nullptr;
++      }
+     }
+     void format(const char *fmt, ...) __printf_attr(2, 3);
+     // Get the buffer pointer & clear it (i.e. caller takes ownership)
+     char* takeBuf() {char* tmp = buf; buf = 0; return tmp;}
+-    void replaceBuf(char* b) {delete [] buf; buf = b;}
++    void replaceBuf(char* b) {if (buf) delete [] buf; buf = b;}
+     char* buf;
++    int length = 0;
+   private:
+     CharArray(const CharArray&);
+     CharArray& operator=(const CharArray&);
diff --git a/tigervnc.spec b/tigervnc.spec
index 5e6c8d6..67c9da0 100644
--- a/tigervnc.spec
+++ b/tigervnc.spec
@@ -1,6 +1,6 @@
 Name:           tigervnc
 Version:        1.9.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A TigerVNC remote display system
 
 %global _hardened_build 1
@@ -21,6 +21,7 @@ Patch3:         tigervnc-shebang.patch
 Patch4:         tigervnc-xstartup.patch
 Patch5:         tigervnc-utilize-system-crypto-policies.patch
 Patch6:         tigervnc-ignore-buttons-in-mouse-leave-event.patch
+Patch7:         tigervnc-passwd-crash-with-malloc-checks.patch
 
 Patch100:       tigervnc-xserver120.patch
 
@@ -159,6 +160,8 @@ popd
 
 %patch6 -p1 -b .ignore-buttons-in-mouse-leave-event
 
+%patch7 -p1 -b .tigervnc-passwd-crash-with-malloc-checks
+
 %build
 %ifarch sparcv9 sparc64 s390 s390x
 export CFLAGS="$RPM_OPT_FLAGS -fPIC"
@@ -304,6 +307,10 @@ install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.c
 %{_datadir}/icons/hicolor/*/apps/*
 
 %changelog
+* Tue Sep 25 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-3
+- Do not crash passwd when using malloc perturb checks
+  Resolves: bz#1631483
+
 * Wed Aug 01 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-2
 - Ignore buttons in mouse leave events
   Resolves: bz#1609516