diff --git a/SOURCES/bind99-CVE-2016-2776.patch b/SOURCES/bind99-CVE-2016-2776.patch
new file mode 100644
index 0000000..6a02094
--- /dev/null
+++ b/SOURCES/bind99-CVE-2016-2776.patch
@@ -0,0 +1,89 @@
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index 73def73..3d2de4f 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -1736,7 +1736,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
+ 	if (r.length < DNS_MESSAGE_HEADERLEN)
+ 		return (ISC_R_NOSPACE);
+ 
+-	if (r.length < msg->reserved)
++	if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
+ 		return (ISC_R_NOSPACE);
+ 
+ 	/*
+@@ -1863,8 +1863,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options)
+ 
+ 	return (ISC_TRUE);
+ }
+-
+ #endif
++
++static isc_result_t
++renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
++	  dns_compress_t *cctx, isc_buffer_t *target,
++	  unsigned int reserved, unsigned int options, unsigned int *countp)
++{
++	isc_result_t result;
++
++	/*
++	 * Shrink the space in the buffer by the reserved amount.
++	 */
++	if (target->length - target->used < reserved)
++		return (ISC_R_NOSPACE);
++
++	target->length -= reserved;
++	result = dns_rdataset_towire(rdataset, owner_name,
++				     cctx, target, options, countp);
++	target->length += reserved;
++
++	return (result);
++}
++
+ isc_result_t
+ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
+ 			  unsigned int options)
+@@ -1907,6 +1928,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
+ 	/*
+ 	 * Shrink the space in the buffer by the reserved amount.
+ 	 */
++	if (msg->buffer->length - msg->buffer->used < msg->reserved)
++		return (ISC_R_NOSPACE);
+ 	msg->buffer->length -= msg->reserved;
+ 
+ 	total = 0;
+@@ -2183,9 +2206,8 @@ dns_message_renderend(dns_message_t *msg) {
+ 		 * Render.
+ 		 */
+ 		count = 0;
+-		result = dns_rdataset_towire(msg->opt, dns_rootname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->opt, dns_rootname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+@@ -2201,9 +2223,8 @@ dns_message_renderend(dns_message_t *msg) {
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+ 		count = 0;
+-		result = dns_rdataset_towire(msg->tsig, msg->tsigname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->tsig, msg->tsigname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+@@ -2224,9 +2245,8 @@ dns_message_renderend(dns_message_t *msg) {
+ 		 * the owner name of a SIG(0) is irrelevant, and will not
+ 		 * be set in a message being rendered.
+ 		 */
+-		result = dns_rdataset_towire(msg->sig0, dns_rootname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->sig0, dns_rootname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index 02e2653..5d516b5 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -25,7 +25,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.9.4
-Release:  29%{?PATCHVER}%{?PREVER}%{?dist}.3
+Release:  29%{?PATCHVER}%{?PREVER}%{?dist}.4
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -104,6 +104,7 @@ Patch159:bind99-CVE-2015-5722.patch
 Patch160:bind99-CVE-2015-8000.patch
 Patch161:bind99-CVE-2015-8704.patch
 Patch162:bind99-CVE-2016-1285-CVE-2016-1286.patch
+patch163:bind99-CVE-2016-2776.patch
 
 # Native PKCS#11 functionality from 9.10
 Patch150:bind-9.9-allow_external_dnskey.patch
@@ -381,6 +382,7 @@ popd
 %patch160 -p1 -b .CVE-2015-8000
 %patch161 -p1 -b .CVE-2015-8704
 %patch162 -p1 -b .CVE-2016-1285-CVE-2016-1286
+%patch163 -p1 -b .CVE-2016-2776
 
 %if %{PKCS11}
 cp -r bin/named{,-pkcs11}
@@ -1061,6 +1063,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
+* Fri Sep 23 2016 Tomas Hozza <thozza@redhat.com> - 32:9.9.4-29.4
+- Fix CVE-2016-2776
+
 * Tue Mar 08 2016 Tomas Hozza <thozza@redhat.com> - 32:9.9.4-29.3
 - Fix CVE-2016-1285 and CVE-2016-1286