diff --git a/graphics/libwmf/distinfo b/graphics/libwmf/distinfo
index b0c855fa4e2c..56d788d9586c 100644
--- a/graphics/libwmf/distinfo
+++ b/graphics/libwmf/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.15 2006/10/10 00:22:28 dmcmahill Exp $
+$NetBSD: distinfo,v 1.16 2007/09/19 15:39:13 jlam Exp $
 
 SHA1 (libwmf-0.2.8.4.tar.gz) = 822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89
 RMD160 (libwmf-0.2.8.4.tar.gz) = 98cd631adb5bb332d9224d04bc8a265c105435f2
 Size (libwmf-0.2.8.4.tar.gz) = 2169375 bytes
 SHA1 (patch-ad) = b74be16c5da490394b86403009f5f35d80ba4bfa
 SHA1 (patch-ae) = 980c70e981209cfb5da85bd28accd81c35ed1c52
+SHA1 (patch-af) = f5cbb60757261aaf6084e9fcf16f9074b3013538
diff --git a/graphics/libwmf/patches/patch-af b/graphics/libwmf/patches/patch-af
new file mode 100644
index 000000000000..169d9b55bc4a
--- /dev/null
+++ b/graphics/libwmf/patches/patch-af
@@ -0,0 +1,38 @@
+$NetBSD: patch-af,v 1.1 2007/09/19 15:39:13 jlam Exp $
+
+--- src/player.c.orig	Tue Dec 10 19:30:26 2002
++++ src/player.c
+@@ -43,6 +43,16 @@
+ #include "player/record.h"   /* Provides: parameter mechanism            */
+ #include "player/meta.h"     /* Provides: record interpreters            */
+ 
++#ifdef HAVE_STDINT_H
++#include <stdint.h>
++#endif
++#ifndef UINT32_MAX
++#include <limits.h>
++#endif
++#ifndef UINT32_MAX
++#define UINT32_MAX	UINT_MAX
++#endif
++
+ /**
+  * @internal
+  */
+@@ -132,8 +142,14 @@ wmf_error_t wmf_scan (wmfAPI* API,unsign
+ 		}
+ 	}
+ 
+-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++	if (MAX_REC_SIZE(API) > UINT32_MAX/ 2)
++	{
++		API->err = wmf_E_InsMem;
++		WMF_DEBUG (API,"bailing...");
++		return (API->err);
++	}
++	
++ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");