diff --git a/CVE-2018-19869.patch b/CVE-2018-19869.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a3dab7e3ac70babf8c130e81015e9bc676a5e5dc
--- /dev/null
+++ b/CVE-2018-19869.patch
@@ -0,0 +1,43 @@
+From 39c31b0454ad7f4f72237cc23fcfb8ef2f80cea9 Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@qt.io>
+Date: Mon, 9 Jul 2018 10:45:22 +0200
+Subject: [PATCH] Fix crash when parsing misformed url reference
+
+The parsing did not check for end of input.
+
+[ChangeLog][][]
+
+Change-Id: I56a478877d242146395977b767511425d2b8ced1
+---
+ src/svg/qsvghandler.cpp | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
+index 6d2e279..fe07d0e 100644
+--- a/src/svg/qsvghandler.cpp
++++ b/src/svg/qsvghandler.cpp
+@@ -774,16 +774,17 @@ static QVector<qreal> parsePercentageList(const QChar *&str)
+ static QString idFromUrl(const QString &url)
+ {
+     QString::const_iterator itr = url.constBegin();
+-    while ((*itr).isSpace())
++    QString::const_iterator end = url.constEnd();
++    while (itr != end && (*itr).isSpace())
+         ++itr;
+-    if ((*itr) == QLatin1Char('('))
++    if (itr != end && (*itr) == QLatin1Char('('))
+         ++itr;
+-    while ((*itr).isSpace())
++    while (itr != end && (*itr).isSpace())
+         ++itr;
+-    if ((*itr) == QLatin1Char('#'))
++    if (itr != end && (*itr) == QLatin1Char('#'))
+         ++itr;
+     QString id;
+-    while ((*itr) != QLatin1Char(')')) {
++    while (itr != end && (*itr) != QLatin1Char(')')) {
+         id += *itr;
+         ++itr;
+     }
+-- 
+2.16.3