diff --git a/Changelog.txt b/Changelog.txt
index 8c79e1c4..95bdc952 100755
--- a/Changelog.txt
+++ b/Changelog.txt
@@ -1,9 +1,12 @@
+2017-09-12  Alex Tutubalin <lexa@lexa.ru>
+ * Fix for possible heap overrun in Canon makernotes parser
+ * LibRaw 0.18.4
+
 2017-09-09  Alex Tutubalin <lexa@lexa.ru>
  * Fix for CVE-2017-13735
- * Additional check for X-Trans CFA pattern data
+ * CVE-2017-14265: Additional check for X-Trans CFA pattern data
  * LibRaw 0.18.3
 
-
 2017-03-08  Alex Tutubalin <lexa@lexa.ru>
  * Fixed several errors (Secunia advisory SA75000)
  * ACES colorspace output option included in dcraw_emu help page
diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
index 1e29e6cd..c4fa7896 100644
--- a/dcraw/dcraw.c
+++ b/dcraw/dcraw.c
@@ -7071,6 +7071,7 @@ void CLASS setCanonBodyFeatures (unsigned id)
 void CLASS processCanonCameraInfo (unsigned id, uchar *CameraInfo, unsigned maxlen)
 {
   ushort iCanonLensID = 0, iCanonMaxFocal = 0, iCanonMinFocal = 0, iCanonLens = 0, iCanonCurFocal = 0, iCanonFocalType = 0;
+  if(maxlen<16) return; // too short, so broken
   CameraInfo[0] = 0;
   CameraInfo[1] = 0;
   switch (id) {
@@ -8631,7 +8632,7 @@ void CLASS parse_makernote_0xc634(int base, int uptag, unsigned dng_writer)
       {
         if (tag == 0x000d && len < 256000) // camera info
           {
-            CanonCameraInfo = (uchar*)malloc(len);
+            CanonCameraInfo = (uchar*)malloc(MAX(16,len));
             fread(CanonCameraInfo, len, 1, ifp);
             lenCanonCameraInfo = len;
           }
@@ -9496,7 +9497,7 @@ void CLASS parse_makernote (int base, int uptag)
       {
         if (tag == 0x000d && len < 256000)	// camera info
           {
-            CanonCameraInfo = (uchar*)malloc(len);
+            CanonCameraInfo = (uchar*)malloc(MAX(16,len));
             fread(CanonCameraInfo, len, 1, ifp);
             lenCanonCameraInfo = len;
           }
diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
index df7c6bbb..18bcdbcb 100644
--- a/internal/dcraw_common.cpp
+++ b/internal/dcraw_common.cpp
@@ -5888,6 +5888,7 @@ void CLASS setCanonBodyFeatures (unsigned id)
 void CLASS processCanonCameraInfo (unsigned id, uchar *CameraInfo, unsigned maxlen)
 {
   ushort iCanonLensID = 0, iCanonMaxFocal = 0, iCanonMinFocal = 0, iCanonLens = 0, iCanonCurFocal = 0, iCanonFocalType = 0;
+  if(maxlen<16) return; // too short, so broken
   CameraInfo[0] = 0;
   CameraInfo[1] = 0;
   switch (id) {
@@ -7448,7 +7449,7 @@ void CLASS parse_makernote_0xc634(int base, int uptag, unsigned dng_writer)
       {
         if (tag == 0x000d && len < 256000) // camera info
           {
-            CanonCameraInfo = (uchar*)malloc(len);
+            CanonCameraInfo = (uchar*)malloc(MAX(16,len));
             fread(CanonCameraInfo, len, 1, ifp);
             lenCanonCameraInfo = len;
           }
@@ -8313,7 +8314,7 @@ void CLASS parse_makernote (int base, int uptag)
       {
         if (tag == 0x000d && len < 256000)	// camera info
           {
-            CanonCameraInfo = (uchar*)malloc(len);
+            CanonCameraInfo = (uchar*)malloc(MAX(16,len));
             fread(CanonCameraInfo, len, 1, ifp);
             lenCanonCameraInfo = len;
           }
diff --git a/libraw/libraw_version.h b/libraw/libraw_version.h
index e4891ee6..4ac0e39d 100644
--- a/libraw/libraw_version.h
+++ b/libraw/libraw_version.h
@@ -22,7 +22,7 @@ it under the terms of the one of two licenses as you choose:
 
 #define LIBRAW_MAJOR_VERSION  0
 #define LIBRAW_MINOR_VERSION  18
-#define LIBRAW_PATCH_VERSION  3
+#define LIBRAW_PATCH_VERSION  4
 #define LIBRAW_VERSION_TAIL   Release
 
 #define LIBRAW_SHLIB_CURRENT  	16