diff --git a/user/vlc/APKBUILD b/user/vlc/APKBUILD
index 7db6632a1f1eab5c00b963e8869e393806c3b9c0..1d8f2de92b455bc9e8e881f9590e625c7ecd31e3 100644
--- a/user/vlc/APKBUILD
+++ b/user/vlc/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=vlc
 pkgver=3.0.4
-pkgrel=1
+pkgrel=2
 pkgdesc="Multi-platform MPEG, VCD/DVD, and DivX player"
 triggers="vlc-libs.trigger=/usr/lib/vlc/plugins"
 pkgusers="vlc"
@@ -61,6 +61,7 @@ makedepends="autoconf automake bison eudev-dev flex libarchive-dev
 	"
 source="https://get.videolan.org/vlc/$pkgver/vlc-$pkgver.tar.xz
 	check-headless.patch
+	CVE-2018-19857.patch
 	disable-sub-autodetect-fuzzy-1-test.patch
 	endian-fix.patch
 	fix-testing.patch
@@ -71,6 +72,10 @@ source="https://get.videolan.org/vlc/$pkgver/vlc-$pkgver.tar.xz
 	vlc-libs.trigger
 	"
 
+# secfixes:
+#   3.0.4-r2:
+#     - CVE-2018-19857
+
 prepare() {
 	default_prepare
 	NOCONFIGURE=1 ./bootstrap
@@ -295,6 +300,7 @@ plugins_visualization()		{ _mv_plugins visualization; }
 
 sha512sums="55c5a45a1573d559f8d62272dc446bebfb328bd48f938e634693a45032e1a3095148e634de5bc53a3a3c0e4858f7df3ed7e5dc91f3f5447e47d0ab5775171271  vlc-3.0.4.tar.xz
 22d80df599b8b65a5439cefbb7140af8e9530f326d54945da3769af65f37518b99ec2cc8647aafd2763324a0698280915afe043cc87e5720c4694881ed35bffa  check-headless.patch
+57a2b843b4b80d3887ca0141b9ea1a00752473861846a6c988553faa58650eb42cc2cd011503dce075c8a5dcabf834e449397c3cdbfdcb291ae7a41d218512da  CVE-2018-19857.patch
 e214b407235cb3afb8bec93f20c9b42957b57e6fd3960679d3d4235e77762e03e64d03c01f00ef63d589e7c85aaad02ce6abbeeccd66b1867bc92451a5b5e9b0  disable-sub-autodetect-fuzzy-1-test.patch
 e063c727d952465bbea33f669db49190427521dc8e2291e9a5cbb0f5e8e879bd3ba76855e44bd4630948e30c4329d27bd928f95de20fe1050d5e839778a4d012  endian-fix.patch
 63adb16b3a1927ee3de27ac339cbfbbaa346a69928c527f883259d1e03b5cb59f26a55feeda767837b448c455de584abcb53dc733b2845c0cc13621d72e7f6fd  fix-testing.patch
diff --git a/user/vlc/CVE-2018-19857.patch b/user/vlc/CVE-2018-19857.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a65dcef2044c70511b3e51ac98cf37f0662dc0eb
--- /dev/null
+++ b/user/vlc/CVE-2018-19857.patch
@@ -0,0 +1,34 @@
+From 0cc5ea748ee5ff7705dde61ab15dff8f58be39d0 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?R=C3=A9mi=20Denis-Courmont?= <remi@remlab.net>
+Date: Sat, 1 Dec 2018 23:32:18 +0200
+Subject: [PATCH] caf: fix integer underflow
+
+Pointed-out-by: Hans Jerry Illikainen <hji@dyntopia.com>
+---
+ modules/demux/caf.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/modules/demux/caf.c b/modules/demux/caf.c
+index cc312a5a30..39b381f963 100644
+--- a/modules/demux/caf.c
++++ b/modules/demux/caf.c
+@@ -691,14 +691,13 @@ static int ReadKukiChunk( demux_t *p_demux, uint64_t i_size )
+     demux_sys_t *p_sys = p_demux->p_sys;
+     const uint8_t *p_peek;
+ 
+-    /* vlc_stream_Peek can't handle sizes bigger than INT32_MAX, and also p_sys->fmt.i_extra is of type 'int'*/
+-    if( i_size > INT32_MAX )
++    if( i_size > SSIZE_MAX )
+     {
+         msg_Err( p_demux, "Magic Cookie chunk too big" );
+         return VLC_EGENERIC;
+     }
+ 
+-    if( (unsigned int)vlc_stream_Peek( p_demux->s, &p_peek, (int)i_size ) < i_size )
++    if( vlc_stream_Peek( p_demux->s, &p_peek, i_size ) < (ssize_t)i_size )
+     {
+         msg_Err( p_demux, "Couldn't peek extra data" );
+         return VLC_EGENERIC;
+-- 
+2.11.0
+