diff --git a/SOURCES/mercurial-fix-cve-2018-13346-cve-2018-13347-regression.patch b/SOURCES/mercurial-fix-cve-2018-13346-cve-2018-13347-regression.patch
new file mode 100644
index 0000000..656e980
--- /dev/null
+++ b/SOURCES/mercurial-fix-cve-2018-13346-cve-2018-13347-regression.patch
@@ -0,0 +1,45 @@
+diff -ruN mercurial-2.6.2/mercurial/mpatch.c mercurial-2.6.2_patched/mercurial/mpatch.c
+--- mercurial-2.6.2/mercurial/mpatch.c	2019-10-10 12:04:17.473702325 +0100
++++ mercurial-2.6.2_patched/mercurial/mpatch.c	2019-10-10 12:03:55.538520431 +0100
+@@ -285,6 +285,7 @@
+ 	struct flist *l;
+ 	struct frag *lt;
+ 	const char *data = bin + 12, *end = bin + len;
++    int pos = 0;
+ 
+ 	/* assume worst case size, we won't have many of these lists */
+ 	l = lalloc(len / 12);
+@@ -293,25 +294,23 @@
+ 
+ 	lt = l->tail;
+ 
+-	while (data <= end) {
+-		lt->start = getbe32(bin);
+-		lt->end = getbe32(bin + 4);
+-		lt->len = getbe32(bin + 8);
++	while (pos >= 0 && pos < (len - 11)) {
++		lt->start = getbe32(bin + pos);
++		lt->end = getbe32(bin + pos + 4);
++		lt->len = getbe32(bin + pos + 8);
+ 		if (lt->start < 0 || lt->start > lt->end || lt->len < 0)
+  			break; /* sanity check */
+-		bin = data;
+-		if (!safeadd(lt->len, &bin)) {
++		if (!safeadd(12, &pos)) {
+ 			break; /* big data + big (bogus) len can wrap around */
+ 		}
+-		lt->data = data;
+-		data = bin;
+-		if (!safeadd(12, &data)) {
++		lt->data = bin + pos;
++		if (!safeadd(lt->len, &pos)) {
+ 			break;
+ 		}
+ 		lt++;
+ 	}
+ 
+-	if (bin != end) {
++	if (pos != len) {
+ 		if (!PyErr_Occurred())
+ 			PyErr_SetString(mpatch_Error, "patch cannot be decoded");
+ 		lfree(l);
diff --git a/SPECS/mercurial.spec b/SPECS/mercurial.spec
index 3b32409..17bc2b0 100644
--- a/SPECS/mercurial.spec
+++ b/SPECS/mercurial.spec
@@ -3,7 +3,7 @@
 Summary: Mercurial -- a distributed SCM
 Name: mercurial
 Version: 2.6.2
-Release: 10%{?dist}
+Release: 11%{?dist}
 #Release: 1.rc1%{?dist}
 
 #%define upstreamversion %{version}-rc
@@ -26,6 +26,7 @@ Patch5: mercurial-cve-2017-9462.patch
 Patch6: mercurial-cve-2017-1000115-1000116.patch
 Patch7: mercurial-cve-2018-1000132.patch
 Patch8: mercurial-cve-2018-13346-cve-2018-13347.patch
+Patch9: mercurial-fix-cve-2018-13346-cve-2018-13347-regression.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: python python-devel
@@ -103,6 +104,7 @@ documentation.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 %build
 make all
@@ -209,6 +211,10 @@ rm -rf $RPM_BUILD_ROOT
 #cd tests && %%{__python} run-tests.py
 
 %changelog
+* Thu Oct 10 2019 Marcel Plch <mplch@redhat.com> - 2.6.2-11
+- Fix a regression caused by previous CVE fix
+- Resolves: rhbz#1740266
+
 * Tue May 07 2019 Marcel Plch <mplch@redhat.com> - 2.6.2-10
 - Add missing hunk for CVE-2018-13347 patch
 - Related: CVE-2018-13347