diff --git a/CVE-2018-20337.patch b/CVE-2018-20337.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8c5754687f4194d1f09beae9005f447e9da7467d
--- /dev/null
+++ b/CVE-2018-20337.patch
@@ -0,0 +1,21 @@
+From fbf60377c006eaea8d3eca3f5e4c654909dcdfd2 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Wed, 19 Dec 2018 11:15:08 +0300
+Subject: [PATCH] possible buffer overrun in Fuji makernotes parser
+
+---
+ internal/dcraw_common.cpp | 2 +-
+
+diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
+index 936aebf9..a0cd7226 100644
+--- a/internal/dcraw_common.cpp
++++ b/internal/dcraw_common.cpp
+@@ -10345,7 +10345,7 @@ void CLASS parse_makernote(int base, int uptag)
+             else
+               year += 1900;
+ 
+-            ynum_len = (int)strnlen(words[i], sizeof(imgdata.shootinginfo.InternalBodySerial) - 1) - 18;
++            ynum_len = MIN((sizeof(ynum)-1), (int)strnlen(words[i], sizeof(imgdata.shootinginfo.InternalBodySerial) - 1) - 18);
+             strncpy(ynum, words[i], ynum_len);
+             ynum[ynum_len] = 0;
+             for (int j = 0; ynum[j] && ynum[j + 1] && sscanf(ynum + j, "%2x", &c); j += 2)
diff --git a/LibRaw.spec b/LibRaw.spec
index 119c1153cfd8e685455111792742b923f8598914..fde06924bfe5e301799ef5275cb58130a5fd860f 100644
--- a/LibRaw.spec
+++ b/LibRaw.spec
@@ -7,6 +7,7 @@ URL:           http://www.libraw.org
 Source0:       http://www.libraw.org/data/%{name}-%{version}.tar.gz
 Patch0002:     LibRaw-0.17.1-CVE-2015-8366-8367.patch
 Patch6000:     LibRaw-0.19.2-CVE-2018-5817,5818,5819.patch
+Patch6001:     CVE-2018-20337.patch 
 
 BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg)
 Provides:      bundled(dcraw) = 9.25
@@ -66,6 +67,9 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o
 %exclude %{_docdir}/libraw/*
 
 %changelog
+* Mon Jul 13 2020 wangyue <wangyue92@huawei.com> - 0.19.0-9
+- Fix CVE-2018-20337.
+ 
 * Mon Mar 09 2020 songnannan <songnannan2@huaiwe.com> - 0.19.0-8
 - disable the jasper