diff --git a/audiofile-0.3.6-pull42.patch b/audiofile-0.3.6-pull42.patch
new file mode 100644
index 0000000..3fab300
--- /dev/null
+++ b/audiofile-0.3.6-pull42.patch
@@ -0,0 +1,176 @@
+diff -Nur audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp audiofile-0.3.6-pull42/libaudiofile/modules/BlockCodec.cpp
+--- audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp	2013-03-06 06:30:03.000000000 +0100
++++ audiofile-0.3.6-pull42/libaudiofile/modules/BlockCodec.cpp	2017-03-10 15:40:02.000000000 +0100
+@@ -52,8 +52,9 @@
+ 	// Decompress into m_outChunk.
+ 	for (int i=0; i<blocksRead; i++)
+ 	{
+-		decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
+-			static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount);
++		if (decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
++			static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0)
++			break;
+ 
+ 		framesRead += m_framesPerPacket;
+ 	}
+diff -Nur audiofile-0.3.6/libaudiofile/modules/MSADPCM.cpp audiofile-0.3.6-pull42/libaudiofile/modules/MSADPCM.cpp
+--- audiofile-0.3.6/libaudiofile/modules/MSADPCM.cpp	2013-03-06 06:30:03.000000000 +0100
++++ audiofile-0.3.6-pull42/libaudiofile/modules/MSADPCM.cpp	2017-03-10 15:40:02.000000000 +0100
+@@ -101,24 +101,60 @@
+ 	768, 614, 512, 409, 307, 230, 230, 230
+ };
+ 
++int firstBitSet(int x)
++{
++        int position=0;
++        while (x!=0)
++        {
++                x>>=1;
++                ++position;
++        }
++        return position;
++}
++
++#ifndef __has_builtin
++#define __has_builtin(x) 0
++#endif
++
++bool multiplyCheckOverflow(int a, int b, int *result)
++{
++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
++	return __builtin_mul_overflow(a, b, result);
++#else
++	if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
++		return true;
++	*result = a * b;
++	return false;
++#endif
++}
++
++
+ // Compute a linear PCM value from the given differential coded value.
+ static int16_t decodeSample(ms_adpcm_state &state,
+-	uint8_t code, const int16_t *coefficient)
++	uint8_t code, const int16_t *coefficient, bool *ok=NULL)
+ {
+ 	int linearSample = (state.sample1 * coefficient[0] +
+ 		state.sample2 * coefficient[1]) >> 8;
++	int delta;
+ 
+ 	linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta;
+ 
+ 	linearSample = clamp(linearSample, MIN_INT16, MAX_INT16);
+ 
+-	int delta = (state.delta * adaptationTable[code]) >> 8;
++	if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta))
++	{
++                if (ok) *ok=false;
++		_af_error(AF_BAD_COMPRESSION, "Error decoding sample");
++		return 0;
++	}
++	delta >>= 8;
+ 	if (delta < 16)
+ 		delta = 16;
+ 
+ 	state.delta = delta;
+ 	state.sample2 = state.sample1;
+ 	state.sample1 = linearSample;
++	if (ok) *ok=true;
+ 
+ 	return static_cast<int16_t>(linearSample);
+ }
+@@ -212,13 +248,16 @@
+ 	{
+ 		uint8_t code;
+ 		int16_t newSample;
++		bool ok;
+ 
+ 		code = *encoded >> 4;
+-		newSample = decodeSample(*state[0], code, coefficient[0]);
++		newSample = decodeSample(*state[0], code, coefficient[0], &ok);
++		if (!ok) return 0;
+ 		*decoded++ = newSample;
+ 
+ 		code = *encoded & 0x0f;
+-		newSample = decodeSample(*state[1], code, coefficient[1]);
++		newSample = decodeSample(*state[1], code, coefficient[1], &ok);
++		if (!ok) return 0;
+ 		*decoded++ = newSample;
+ 
+ 		encoded++;
+diff -Nur audiofile-0.3.6/libaudiofile/WAVE.cpp audiofile-0.3.6-pull42/libaudiofile/WAVE.cpp
+--- audiofile-0.3.6/libaudiofile/WAVE.cpp	2013-03-06 06:30:03.000000000 +0100
++++ audiofile-0.3.6-pull42/libaudiofile/WAVE.cpp	2017-03-10 15:40:02.000000000 +0100
+@@ -281,6 +281,12 @@
+ 
+ 			/* numCoefficients should be at least 7. */
+ 			assert(numCoefficients >= 7 && numCoefficients <= 255);
++			if (numCoefficients < 7 || numCoefficients > 255)
++			{
++				_af_error(AF_BAD_HEADER,
++						"Bad number of coefficients");
++				return AF_FAIL;
++			}
+ 
+ 			m_msadpcmNumCoefficients = numCoefficients;
+ 
+@@ -834,6 +840,8 @@
+ 	}
+ 
+ 	TrackSetup *track = setup->getTrack();
++	if (!track)
++		return AF_NULL_FILESETUP;
+ 
+ 	if (track->f.isCompressed())
+ 	{
+diff -Nur audiofile-0.3.6/sfcommands/sfconvert.c audiofile-0.3.6-pull42/sfcommands/sfconvert.c
+--- audiofile-0.3.6/sfcommands/sfconvert.c	2013-03-06 06:30:03.000000000 +0100
++++ audiofile-0.3.6-pull42/sfcommands/sfconvert.c	2017-03-10 15:40:02.000000000 +0100
+@@ -45,6 +45,33 @@
+ void usageerror (void);
+ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
+ 
++int firstBitSet(int x)
++{
++        int position=0;
++        while (x!=0)
++        {
++                x>>=1;
++                ++position;
++        }
++        return position;
++}
++
++#ifndef __has_builtin
++#define __has_builtin(x) 0
++#endif
++
++bool multiplyCheckOverflow(int a, int b, int *result)
++{
++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
++	return __builtin_mul_overflow(a, b, result);
++#else
++	if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
++		return true;
++	*result = a * b;
++	return false;
++#endif
++}
++
+ int main (int argc, char **argv)
+ {
+ 	if (argc == 2)
+@@ -323,8 +350,11 @@
+ {
+ 	int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
+ 
+-	const int kBufferFrameCount = 65536;
+-	void *buffer = malloc(kBufferFrameCount * frameSize);
++	int kBufferFrameCount = 65536;
++	int bufferSize;
++	while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
++		kBufferFrameCount /= 2;
++	void *buffer = malloc(bufferSize);
+ 
+ 	AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
+ 	AFframecount totalFramesWritten = 0;
diff --git a/audiofile-0.3.6-pull43.patch b/audiofile-0.3.6-pull43.patch
new file mode 100644
index 0000000..4ad1152
--- /dev/null
+++ b/audiofile-0.3.6-pull43.patch
@@ -0,0 +1,21 @@
+diff -Nur audiofile-0.3.6/libaudiofile/modules/IMA.cpp audiofile-0.3.6-pull43/libaudiofile/modules/IMA.cpp
+--- audiofile-0.3.6/libaudiofile/modules/IMA.cpp	2013-03-06 06:30:03.000000000 +0100
++++ audiofile-0.3.6-pull43/libaudiofile/modules/IMA.cpp	2017-03-06 18:06:35.000000000 +0100
+@@ -169,7 +169,7 @@
+ 		if (encoded[1] & 0x80)
+ 			m_adpcmState[c].previousValue -= 0x10000;
+ 
+-		m_adpcmState[c].index = encoded[2];
++		m_adpcmState[c].index = clamp(encoded[2], 0, 88);
+ 
+ 		*decoded++ = m_adpcmState[c].previousValue;
+ 
+@@ -210,7 +210,7 @@
+ 			predictor -= 0x10000;
+ 
+ 		state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16);
+-		state.index = encoded[1] & 0x7f;
++		state.index = clamp(encoded[1] & 0x7f, 0, 88);
+ 		encoded += 2;
+ 
+ 		for (int n=0; n<m_framesPerPacket; n+=2)
diff --git a/audiofile-0.3.6-pull44.patch b/audiofile-0.3.6-pull44.patch
new file mode 100644
index 0000000..091b34c
--- /dev/null
+++ b/audiofile-0.3.6-pull44.patch
@@ -0,0 +1,31 @@
+diff -Nur audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp audiofile-0.3.6-pull44/libaudiofile/modules/BlockCodec.cpp
+--- audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp	2013-03-06 06:30:03.000000000 +0100
++++ audiofile-0.3.6-pull44/libaudiofile/modules/BlockCodec.cpp	2017-03-09 10:21:18.000000000 +0100
+@@ -47,7 +47,7 @@
+ 
+ 	// Read the compressed data.
+ 	ssize_t bytesRead = read(m_inChunk->buffer, m_bytesPerPacket * blockCount);
+-	int blocksRead = bytesRead >= 0 ? bytesRead / m_bytesPerPacket : 0;
++	int blocksRead = (bytesRead >= 0 && m_bytesPerPacket > 0) ? bytesRead / m_bytesPerPacket : 0;
+ 
+ 	// Decompress into m_outChunk.
+ 	for (int i=0; i<blocksRead; i++)
+diff -Nur audiofile-0.3.6/libaudiofile/WAVE.cpp audiofile-0.3.6-pull44/libaudiofile/WAVE.cpp
+--- audiofile-0.3.6/libaudiofile/WAVE.cpp	2013-03-06 06:30:03.000000000 +0100
++++ audiofile-0.3.6-pull44/libaudiofile/WAVE.cpp	2017-03-09 10:21:18.000000000 +0100
+@@ -326,6 +326,7 @@
+ 			{
+ 				_af_error(AF_BAD_NOT_IMPLEMENTED,
+ 					"IMA ADPCM compression supports only 4 bits per sample");
++				return AF_FAIL;
+ 			}
+ 
+ 			int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
+@@ -333,6 +334,7 @@
+ 			{
+ 				_af_error(AF_BAD_CODEC_CONFIG,
+ 					"Invalid samples per block for IMA ADPCM compression");
++				return AF_FAIL;
+ 			}
+ 
+ 			track->f.sampleWidth = 16;
diff --git a/audiofile.spec b/audiofile.spec
index 1465da1..a199363 100644
--- a/audiofile.spec
+++ b/audiofile.spec
@@ -3,7 +3,7 @@
 Summary: Library for accessing various audio file formats
 Name: audiofile
 Version: 0.3.6
-Release: 12%{?dist}
+Release: 13%{?dist}
 Epoch: 1
 # library is LGPL / the two programs GPL / see README
 License: LGPLv2+ and GPLv2+
@@ -20,6 +20,11 @@ Patch0: audiofile-0.3.6-CVE-2015-7747.patch
 # fixes to make build with GCC 6
 Patch1: audiofile-0.3.6-left-shift-neg.patch
 Patch2: audiofile-0.3.6-narrowing.patch
+# pull requests #42,#43,#44
+Patch3: audiofile-0.3.6-pull42.patch
+Patch4: audiofile-0.3.6-pull43.patch
+Patch5: audiofile-0.3.6-pull44.patch
+
 
 %description
 The Audio File library is an implementation of the Audio File Library
@@ -44,7 +49,9 @@ other resources you can use to develop Audio File applications.
 %patch0 -p1 -b .CVE-2015-7747
 %patch1 -p1 -b .left-shift-neg
 %patch2 -p1 -b .narrowing-conversion
-
+%patch3 -p1 -b .pull42
+%patch4 -p1 -b .pull43
+%patch5 -p1 -b .pull44
 
 %build
 %configure --disable-static
@@ -84,6 +91,10 @@ make check
 %{_mandir}/man3/*
 
 %changelog
+* Sun Mar 12 2017 Michael Schwendt <mschwendt@fedoraproject.org> - 1:0.3.6-13
+- Merge upstream pull requests #42,#43,#44 from Agostino Sarubbo to fix
+  security issues.
+
 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.6-12
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild