diff --git a/debian/changelog b/debian/changelog
index 89fc441..f163ee9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,11 @@
-tigr-glimmer (3.02-4) UNRELEASED; urgency=medium
+tigr-glimmer (3.02-4) unstable; urgency=medium
 
   * moved debian/upstream to debian/upstream/metadata
   * cme fix dpkg-control
+  * Fix crashes reported by Mayhem
+    Closes: #715701, #715702
 
- -- Andreas Tille <tille@debian.org>  Mon, 14 Dec 2015 16:44:19 +0100
+ -- Andreas Tille <tille@debian.org>  Tue, 15 Dec 2015 10:17:14 +0100
 
 tigr-glimmer (3.02-3) unstable; urgency=low
 
diff --git a/debian/patches/mayhem.patch b/debian/patches/mayhem.patch
new file mode 100644
index 0000000..94a300b
--- /dev/null
+++ b/debian/patches/mayhem.patch
@@ -0,0 +1,140 @@
+Author: Andreas Tille <tille@debian.org>
+Last-Update: Mon, 14 Dec 2015 16:44:19 +0100
+Bug-Debian: http://bugs.debian.org/715701,
+            http://bugs.debian.org/715702
+Description: Fix crashes reported by Mayhem
+ See http://www.drpaulcarter.com/cs/common-c-errors.php#4.1
+ to make fgetc() more safe.  However, the original problem is
+ that for empty strings no space at all is allocated.  This is
+ now done in advance.
+
+--- a/src/ICM/build-fixed.cc
++++ b/src/ICM/build-fixed.cc
+@@ -234,20 +234,24 @@ static int  Read_String
+   {
+    int  ch, ct;
+ 
+-   while  ((ch = fgetc (fp)) != EOF && ch != '>')
++   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
+      ;
+ 
+    if  (ch == EOF)
+        return  FALSE;
+ 
+    ct = 0;
+-   while  ((ch = fgetc (fp)) != EOF && ch != '\n' && isspace (ch))
++   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '\n') && isspace (ch))
+      ;
+    if  (ch == EOF)
+        return  FALSE;
+-   if  (ch != '\n' && ! isspace (ch))
++   if  (ch != ((int) '\n') && ! isspace (ch))
+        ungetc (ch, fp);
+-   while  ((ch = fgetc (fp)) != EOF && ch != '\n')
++   if (tag_size == 0 ) {
++       tag_size += INCR_SIZE;
++       tag = (char *) Safe_realloc (tag, tag_size);
++   }
++   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '\n'))
+      {
+       if  (ct >= tag_size - 1)
+           {
+@@ -259,7 +263,11 @@ static int  Read_String
+    tag [ct ++] = '\0';
+ 
+    ct = 0;
+-   while  ((ch = fgetc (fp)) != EOF && ch != '>')
++   if (s_size == 0) {
++      s_size += INCR_SIZE;
++      s = (char *) Safe_realloc (s, s_size);
++   }
++   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
+      {
+       if  (isspace (ch))
+           continue;
+--- a/src/ICM/build-icm.cc
++++ b/src/ICM/build-icm.cc
+@@ -271,20 +271,24 @@ static int  Read_String
+   {
+    int  ch, ct;
+ 
+-   while  ((ch = fgetc (fp)) != EOF && ch != '>')
++   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
+      ;
+ 
+    if  (ch == EOF)
+        return  FALSE;
+ 
+    ct = 0;
+-   while  ((ch = fgetc (fp)) != EOF && ch != '\n' && isspace (ch))
++   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '\n') && isspace (ch))
+      ;
+    if  (ch == EOF)
+        return  FALSE;
+    if  (ch != '\n' && ! isspace (ch))
+        ungetc (ch, fp);
+-   while  ((ch = fgetc (fp)) != EOF && ch != '\n')
++   if (tag_size == 0) {
++       tag_size += INCR_SIZE;
++       tag = (char *) Safe_realloc (tag, tag_size);
++   }
++   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '\n'))
+      {
+       if  (ct >= tag_size - 1)
+           {
+@@ -296,7 +300,11 @@ static int  Read_String
+    tag [ct ++] = '\0';
+ 
+    ct = 0;
+-   while  ((ch = fgetc (fp)) != EOF && ch != '>')
++   if (s_size == 0) {
++       s_size += INCR_SIZE;
++       s = (char *) Safe_realloc (s, s_size);
++   }
++   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
+      {
+       if  (isspace (ch))
+           continue;
+--- a/src/ICM/score-fixed.cc
++++ b/src/ICM/score-fixed.cc
+@@ -163,20 +163,24 @@ int  Read_String
+   {
+    int  ch, ct;
+ 
+-   while  ((ch = fgetc (fp)) != EOF && ch != '>')
++   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
+      ;
+ 
+    if  (ch == EOF)
+        return  FALSE;
+ 
+    ct = 0;
+-   while  ((ch = fgetc (fp)) != EOF && ch != '\n' && isspace (ch))
++   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '\n') && isspace (ch))
+      ;
+    if  (ch == EOF)
+        return  FALSE;
+    if  (ch != '\n' && ! isspace (ch))
+        ungetc (ch, fp);
+-   while  ((ch = fgetc (fp)) != EOF && ch != '\n')
++   if (tag_size == 0 ) {
++       tag_size += INCR_SIZE;
++       tag = (char *) Safe_realloc (tag, tag_size);
++   }
++   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '\n'))
+      {
+       if  (ct >= tag_size - 1)
+           {
+@@ -188,7 +192,11 @@ int  Read_String
+    tag [ct ++] = '\0';
+ 
+    ct = 0;
+-   while  ((ch = fgetc (fp)) != EOF && ch != '>')
++   if (s_size == 0) {
++      s_size += INCR_SIZE;
++      s = (char *) Safe_realloc (s, s_size);
++   }
++   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
+      {
+       if  (isspace (ch))
+           continue;
diff --git a/debian/patches/series b/debian/patches/series
index 0851e90..58ad637 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 10_gcc4.3.patch
 10_gcc4.4.patch
 
+mayhem.patch