diff --git a/emacs-auctex-compilation.patch b/emacs-auctex-compilation.patch
new file mode 100644
index 0000000..cd0eaea
--- /dev/null
+++ b/emacs-auctex-compilation.patch
@@ -0,0 +1,274 @@
+Backport the following upstream patches:
+
+http://git.savannah.gnu.org/cgit/emacs.git/patch/?id=9afea93ed536fb9110ac62b413604cf4c4302199
+http://git.savannah.gnu.org/cgit/emacs.git/patch/?id=71ca4f6a43bad06192cbc4bb8c7a2d69c179b7b0
+http://git.savannah.gnu.org/cgit/emacs.git/patch/?id=1047496722a58ef5b736dae64d32adeb58c5055c
+http://git.savannah.gnu.org/cgit/emacs.git/patch/?id=96ac0c3ebce825e60595794f99e703ec8302e240
+http://git.savannah.gnu.org/cgit/emacs.git/patch/?id=43986d16fb6ad78a627250e14570ea70bdb1f23a
+
+Resolves: #1398718
+
+commit 9afea93ed536fb9110ac62b413604cf4c4302199
+Author: Eli Zaretskii <eliz@gnu.org>
+Date:   Sun Oct 23 16:54:00 2016 +0300
+
+    Attempt to catch reads from a buffer that is relocated
+    
+    * src/xml.c (parse_region): Add assertion to ensure buffer text is
+    not relocated while libxml2 is reading it.  (Bug#24764)
+
+diff --git a/src/xml.c b/src/xml.c
+index b1175d1..1ef84bd 100644
+--- a/src/xml.c
++++ b/src/xml.c
+@@ -181,6 +181,7 @@ parse_region (Lisp_Object start, Lisp_Object end, Lisp_Object base_url,
+   Lisp_Object result = Qnil;
+   const char *burl = "";
+   ptrdiff_t istart, iend, istart_byte, iend_byte;
++  unsigned char *buftext;
+ 
+   xmlCheckVersion (LIBXML_VERSION);
+ 
+@@ -200,18 +201,24 @@ parse_region (Lisp_Object start, Lisp_Object end, Lisp_Object base_url,
+       burl = SSDATA (base_url);
+     }
+ 
++  buftext = BYTE_POS_ADDR (istart_byte);
+   if (htmlp)
+-    doc = htmlReadMemory ((char *) BYTE_POS_ADDR (istart_byte),
++    doc = htmlReadMemory ((char *)buftext,
+ 			  iend_byte - istart_byte, burl, "utf-8",
+ 			  HTML_PARSE_RECOVER|HTML_PARSE_NONET|
+ 			  HTML_PARSE_NOWARNING|HTML_PARSE_NOERROR|
+ 			  HTML_PARSE_NOBLANKS);
+   else
+-    doc = xmlReadMemory ((char *) BYTE_POS_ADDR (istart_byte),
++    doc = xmlReadMemory ((char *)buftext,
+ 			 iend_byte - istart_byte, burl, "utf-8",
+ 			 XML_PARSE_NONET|XML_PARSE_NOWARNING|
+ 			 XML_PARSE_NOBLANKS |XML_PARSE_NOERROR);
+ 
++  /* If the assertion below fails, malloc was called inside the above
++     libxml2 functions, and ralloc.c caused relocation of buffer text,
++     so we could have read from unrelated memory.  */
++  eassert (buftext == BYTE_POS_ADDR (istart_byte));
++
+   if (doc != NULL)
+     {
+       Lisp_Object r = Qnil;
+
+commit 71ca4f6a43bad06192cbc4bb8c7a2d69c179b7b0
+Author: Eli Zaretskii <eliz@gnu.org>
+Date:   Sun Oct 23 19:52:56 2016 +0300
+
+    Avoid relocating buffers while libxml2 reads its text
+    
+    * src/xml.c (parse_region) [REL_ALLOC]: Freeze the ralloc arena
+    while libxml2 reads the current buffer's text.  (Bug#24764)
+
+diff --git a/src/xml.c b/src/xml.c
+index 1ef84bd..612b16c 100644
+--- a/src/xml.c
++++ b/src/xml.c
+@@ -202,6 +202,11 @@ parse_region (Lisp_Object start, Lisp_Object end, Lisp_Object base_url,
+     }
+ 
+   buftext = BYTE_POS_ADDR (istart_byte);
++#ifdef REL_ALLOC
++  /* Prevent ralloc.c from relocating the current buffer while libxml2
++     functions below read its text.  */
++  r_alloc_inhibit_buffer_relocation (1);
++#endif
+   if (htmlp)
+     doc = htmlReadMemory ((char *)buftext,
+ 			  iend_byte - istart_byte, burl, "utf-8",
+@@ -214,6 +219,9 @@ parse_region (Lisp_Object start, Lisp_Object end, Lisp_Object base_url,
+ 			 XML_PARSE_NONET|XML_PARSE_NOWARNING|
+ 			 XML_PARSE_NOBLANKS |XML_PARSE_NOERROR);
+ 
++#ifdef REL_ALLOC
++  r_alloc_inhibit_buffer_relocation (0);
++#endif
+   /* If the assertion below fails, malloc was called inside the above
+      libxml2 functions, and ralloc.c caused relocation of buffer text,
+      so we could have read from unrelated memory.  */
+
+commit 1047496722a58ef5b736dae64d32adeb58c5055c
+Author: Eli Zaretskii <eliz@gnu.org>
+Date:   Mon Oct 24 16:59:34 2016 +0300
+
+    Another fix for using pointer to buffer text
+    
+    * src/search.c (Freplace_match): Move the call to BYTE_POS_ADDR
+    after the call to xpalloc, to avoid the danger of buffer text
+    relocation after its address was taken.  (Bug#24358)
+
+diff --git a/src/search.c b/src/search.c
+index 5c04916..f8acd40 100644
+--- a/src/search.c
++++ b/src/search.c
+@@ -2640,6 +2640,7 @@ since only regular expressions have distinguished subexpressions.  */)
+ 	  const unsigned char *add_stuff = NULL;
+ 	  ptrdiff_t add_len = 0;
+ 	  ptrdiff_t idx = -1;
++	  ptrdiff_t begbyte;
+ 
+ 	  if (str_multibyte)
+ 	    {
+@@ -2702,11 +2703,10 @@ since only regular expressions have distinguished subexpressions.  */)
+ 	     set up ADD_STUFF and ADD_LEN to point to it.  */
+ 	  if (idx >= 0)
+ 	    {
+-	      ptrdiff_t begbyte = CHAR_TO_BYTE (search_regs.start[idx]);
++	      begbyte = CHAR_TO_BYTE (search_regs.start[idx]);
+ 	      add_len = CHAR_TO_BYTE (search_regs.end[idx]) - begbyte;
+ 	      if (search_regs.start[idx] < GPT && GPT < search_regs.end[idx])
+ 		move_gap_both (search_regs.start[idx], begbyte);
+-	      add_stuff = BYTE_POS_ADDR (begbyte);
+ 	    }
+ 
+ 	  /* Now the stuff we want to add to SUBSTED
+@@ -2719,6 +2719,11 @@ since only regular expressions have distinguished subexpressions.  */)
+ 		       add_len - (substed_alloc_size - substed_len),
+ 		       STRING_BYTES_BOUND, 1);
+ 
++	  /* We compute this after the call to xpalloc, because that
++	     could cause buffer text be relocated when ralloc.c is used.  */
++	  if (idx >= 0)
++	    add_stuff = BYTE_POS_ADDR (begbyte);
++
+ 	  /* Now add to the end of SUBSTED.  */
+ 	  if (add_stuff)
+ 	    {
+
+commit 96ac0c3ebce825e60595794f99e703ec8302e240
+Author: Eli Zaretskii <eliz@gnu.org>
+Date:   Mon Oct 24 21:37:20 2016 +0300
+
+    Yet another fix for using pointers into buffer text
+    
+    * src/search.c (boyer_moore): Update pointers to buffer text
+    after call to set_search_regs.  (Bug#24358)
+
+diff --git a/src/search.c b/src/search.c
+index f8acd40..b50e7f0 100644
+--- a/src/search.c
++++ b/src/search.c
+@@ -2014,13 +2014,20 @@ boyer_moore (EMACS_INT n, unsigned char *base_pat,
+ 	      cursor += dirlen - i - direction;	/* fix cursor */
+ 	      if (i + direction == 0)
+ 		{
+-		  ptrdiff_t position, start, end;
++		  ptrdiff_t position, start, end, cursor_off;
+ 
+ 		  cursor -= direction;
+ 
+ 		  position = pos_byte + cursor - p2 + ((direction > 0)
+ 						       ? 1 - len_byte : 0);
++		  /* set_search_regs might call malloc, which could
++		     cause ralloc.c relocate buffer text.  We need to
++		     update pointers into buffer text due to that.  */
++		  cursor_off = cursor - p2;
+ 		  set_search_regs (position, len_byte);
++		  p_limit = BYTE_POS_ADDR (limit);
++		  p2 = BYTE_POS_ADDR (pos_byte);
++		  cursor = p2 + cursor_off;
+ 
+ 		  if (NILP (Vinhibit_changing_match_data))
+ 		    {
+
+commit 43986d16fb6ad78a627250e14570ea70bdb1f23a
+Author: Noam Postavsky <npostavs@gmail.com>
+Date:   Mon Oct 24 21:22:07 2016 -0400
+
+    Inhibit buffer relocation during regex searches
+    
+    * src/search.c (looking_at_1, fast_looking_at, search_buffer): Prevent
+    relocation of buffer contents during calls to re_search_2.  This ensures
+    the pointers into buffer text won't be invalidated by
+    r_alloc_sbrk (called from malloc with configurations where
+    REL_ALLOC=yes).
+
+diff --git a/src/search.c b/src/search.c
+index fa5ac44..15504be 100644
+--- a/src/search.c
++++ b/src/search.c
+@@ -308,12 +308,20 @@ looking_at_1 (Lisp_Object string, bool posix)
+ 
+   re_match_object = Qnil;
+ 
++#ifdef REL_ALLOC
++  /* Prevent ralloc.c from relocating the current buffer while
++     searching it.  */
++  r_alloc_inhibit_buffer_relocation (1);
++#endif
+   i = re_match_2 (bufp, (char *) p1, s1, (char *) p2, s2,
+ 		  PT_BYTE - BEGV_BYTE,
+ 		  (NILP (Vinhibit_changing_match_data)
+ 		   ? &search_regs : NULL),
+ 		  ZV_BYTE - BEGV_BYTE);
+   immediate_quit = 0;
++#ifdef REL_ALLOC
++  r_alloc_inhibit_buffer_relocation (0);
++#endif
+ 
+   if (i == -2)
+     matcher_overflow ();
+@@ -561,8 +569,16 @@ fast_looking_at (Lisp_Object regexp, ptrdiff_t pos, ptrdiff_t pos_byte,
+ 
+   buf = compile_pattern (regexp, 0, Qnil, 0, multibyte);
+   immediate_quit = 1;
++#ifdef REL_ALLOC
++  /* Prevent ralloc.c from relocating the current buffer while
++     searching it.  */
++  r_alloc_inhibit_buffer_relocation (1);
++#endif
+   len = re_match_2 (buf, (char *) p1, s1, (char *) p2, s2,
+ 		    pos_byte, NULL, limit_byte);
++#ifdef REL_ALLOC
++  r_alloc_inhibit_buffer_relocation (0);
++#endif
+   immediate_quit = 0;
+ 
+   return len;
+@@ -1213,6 +1229,12 @@ search_buffer (Lisp_Object string, ptrdiff_t pos, ptrdiff_t pos_byte,
+ 	}
+       re_match_object = Qnil;
+ 
++#ifdef REL_ALLOC
++  /* Prevent ralloc.c from relocating the current buffer while
++     searching it.  */
++  r_alloc_inhibit_buffer_relocation (1);
++#endif
++
+       while (n < 0)
+ 	{
+ 	  ptrdiff_t val;
+@@ -1254,6 +1276,9 @@ search_buffer (Lisp_Object string, ptrdiff_t pos, ptrdiff_t pos_byte,
+ 	  else
+ 	    {
+ 	      immediate_quit = 0;
++#ifdef REL_ALLOC
++              r_alloc_inhibit_buffer_relocation (0);
++#endif
+ 	      return (n);
+ 	    }
+ 	  n++;
+@@ -1296,11 +1321,17 @@ search_buffer (Lisp_Object string, ptrdiff_t pos, ptrdiff_t pos_byte,
+ 	  else
+ 	    {
+ 	      immediate_quit = 0;
++#ifdef REL_ALLOC
++              r_alloc_inhibit_buffer_relocation (0);
++#endif
+ 	      return (0 - n);
+ 	    }
+ 	  n--;
+ 	}
+       immediate_quit = 0;
++#ifdef REL_ALLOC
++      r_alloc_inhibit_buffer_relocation (0);
++#endif
+       return (pos);
+     }
+   else				/* non-RE case */
diff --git a/emacs.spec b/emacs.spec
index 366a446..f9628ba 100644
--- a/emacs.spec
+++ b/emacs.spec
@@ -5,7 +5,7 @@ Summary:       GNU Emacs text editor
 Name:          emacs
 Epoch:         1
 Version:       25.1
-Release:       2%{?dist}
+Release:       3%{?dist}
 License:       GPLv3+ and CC0-1.0
 URL:           http://www.gnu.org/software/emacs/
 Group:         Applications/Editors
@@ -27,6 +27,8 @@ Patch2:        emacs-pdf-default.patch
 Patch3:        emacs-system-crypto-policies.patch
 # rhbz#1271407 (upstreamed)
 Patch4:        emacs-samba.patch
+# rhbz#1398718 (upstreamed)
+Patch5:        emacs-auctex-compilation.patch
 
 BuildRequires: atk-devel
 BuildRequires: cairo-devel
@@ -170,6 +172,7 @@ packages that add functionality to Emacs.
 %patch2 -p1 -b .pdf-default.patch
 %patch3 -p1 -b .system-crypto-policies
 %patch4 -p1 -b .samba
+%patch5 -p1 -b .auctex-compilation
 autoconf
 
 # We prefer our emacs.desktop file
@@ -449,6 +452,9 @@ update-desktop-database &> /dev/null || :
 %dir %{_datadir}/emacs/site-lisp/site-start.d
 
 %changelog
+* Mon Dec 12 2016 Jan Synáček <jsynacek@redhat.com> - 1:25.1-3
+- Emacs 25.1 fc25 often crashes with emacs-auctex (#1398718)
+
 * Wed Oct 12 2016 Jan Synáček <jsynacek@redhat.com> - 1:25.1-2
 - emacs leaves behind corrupted symlinks on CIFS share (#1271407)