diff --git a/backport-CVE-2024-1580.patch b/backport-CVE-2024-1580.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f80ac9fae5e0c344168a907df5c7c4c222a37384
--- /dev/null
+++ b/backport-CVE-2024-1580.patch
@@ -0,0 +1,62 @@
+From 2b475307dc11be9a1c3cc4358102c76a7f386a51 Mon Sep 17 00:00:00 2001
+From: Henrik Gramner <gramner@twoorioles.com>
+Date: Tue, 21 Nov 2023 20:47:50 +0100
+Subject: [PATCH] Fix tile_start_off calculations for extremely large frame
+ sizes
+
+The tile start offset, in pixels, can exceed the range of a signed int.
+---
+ src/decode.c   | 13 +++++++------
+ src/internal.h |  2 +-
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/src/decode.c b/src/decode.c
+index e33cc3a..068c388 100644
+--- a/src/decode.c
++++ b/src/decode.c
+@@ -2316,7 +2316,7 @@ static void setup_tile(Dav1dTileState *const ts,
+                        const Dav1dFrameContext *const f,
+                        const uint8_t *const data, const size_t sz,
+                        const int tile_row, const int tile_col,
+-                       const int tile_start_off)
++                       const unsigned tile_start_off)
+ {
+     const int col_sb_start = f->frame_hdr->tiling.col_start_sb[tile_col];
+     const int col_sb128_start = col_sb_start >> !f->seq_hdr->sb128;
+@@ -2705,15 +2705,16 @@ int dav1d_decode_frame(Dav1dFrameContext *const f) {
+     const uint8_t *const size_mul = ss_size_mul[f->cur.p.layout];
+     const int hbd = !!f->seq_hdr->hbd;
+     if (c->n_fc > 1) {
++        const unsigned sb_step4 = f->sb_step * 4;
+         int tile_idx = 0;
+         for (int tile_row = 0; tile_row < f->frame_hdr->tiling.rows; tile_row++) {
+-            int row_off = f->frame_hdr->tiling.row_start_sb[tile_row] *
+-                          f->sb_step * 4 * f->sb128w * 128;
+-            int b_diff = (f->frame_hdr->tiling.row_start_sb[tile_row + 1] -
+-                          f->frame_hdr->tiling.row_start_sb[tile_row]) * f->sb_step * 4;
++            const unsigned row_off = f->frame_hdr->tiling.row_start_sb[tile_row] *
++                                     sb_step4 * f->sb128w * 128;
++            const unsigned b_diff = (f->frame_hdr->tiling.row_start_sb[tile_row + 1] -
++                                     f->frame_hdr->tiling.row_start_sb[tile_row]) * sb_step4;
+             for (int tile_col = 0; tile_col < f->frame_hdr->tiling.cols; tile_col++) {
+                 f->frame_thread.tile_start_off[tile_idx++] = row_off + b_diff *
+-                    f->frame_hdr->tiling.col_start_sb[tile_col] * f->sb_step * 4;
++                    f->frame_hdr->tiling.col_start_sb[tile_col] * sb_step4;
+             }
+         }
+
+diff --git a/src/internal.h b/src/internal.h
+index a566ded..f70d548 100644
+--- a/src/internal.h
++++ b/src/internal.h
+@@ -207,7 +207,7 @@ struct Dav1dFrameContext {
+         coef *cf;
+         int pal_sz, pal_idx_sz, cf_sz;
+         // start offsets per tile
+-        int *tile_start_off;
++        unsigned *tile_start_off;
+     } frame_thread;
+
+     // loopfilter
+-- 
+GitLab
diff --git a/dav1d.spec b/dav1d.spec
index 6bf444abd1d166f4693a70253f3c892f35ae39f3..4d5d2caeb63f8df8aee5311859081236fbecc5d1 100644
--- a/dav1d.spec
+++ b/dav1d.spec
@@ -1,12 +1,12 @@
 Name:           dav1d
 Version:        0.5.2
-Release:        3
+Release:        4
 Summary:        AV1 cross-platform Decoder
 
 License:        BSD
 URL:            https://code.videolan.org/videolan/dav1d
 Source0:        %{url}/-/archive/%{version}/%{name}-%{version}.tar.bz2
-
+Patch6000:      backport-CVE-2024-1580.patch
 BuildRequires:  gcc nasm doxygen
 BuildRequires:  meson >= 0.47.0
 
@@ -58,6 +58,12 @@ Development files for dav1d, the AV1 cross-platform Decoder.
 %{_libdir}/pkgconfig/%{name}.pc
 
 %changelog
+* Thu Aug 28 2025 zhangpan <zhangpan@cqsoftware.com.cn> - 0.5.2-4
+- Type:CVE
+- CVE:CVE-2024-1580
+- SUG:NA
+- DESC:fix CVE-2024-1580
+
 * Mon Jun 20 2022 zhangfan <zhangfan4@kylinos.cn> - 0.5.2-3
 - Update Source0