diff --git a/backport-CVE-2021-44648.patch b/backport-CVE-2021-44648.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c0616fbc13b5f472f53c07585fb51b7f81fcd928
--- /dev/null
+++ b/backport-CVE-2021-44648.patch
@@ -0,0 +1,40 @@
+From 19ebba03117aefc9d0312f675f3a210ffdcc4907 Mon Sep 17 00:00:00 2001
+From: Robert Ancell <Robert Ancell @robert.ancell>
+Date: Tue, 24 May 2022 14:36:15 +0800
+Subject: [PATCH] Fix overflow when reading GIF images with invalid LZW initial code size.
+ 
+Conflict:NA
+Reference:https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/130/diffs?commit_id=19ebba03117aefc9d0312f675f3a210ffdcc4907
+---
+ gdk-pixbuf/io-gif.c | 2 +-
+ gdk-pixbuf/lzw.c    | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+ 
+diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
+index 1befba1..3d2a7a9 100644
+--- a/gdk-pixbuf/io-gif.c
++++ b/gdk-pixbuf/io-gif.c
+@@ -500,7 +500,7 @@ gif_prepare_lzw (GifContext *context)
+ 		return -1;
+ 	}
+         
+-        if (context->lzw_set_code_size > 12) {
++        if (context->lzw_set_code_size >= 12) {
+                 g_set_error_literal (context->error,
+                                      GDK_PIXBUF_ERROR,
+                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
+index 105daf2..f3fae17 100644
+--- a/gdk-pixbuf/lzw.c
++++ b/gdk-pixbuf/lzw.c
+@@ -121,6 +121,8 @@ lzw_decoder_new (guint8 code_size)
+         LZWDecoder *self;
+         int i;
+ 
++        g_return_val_if_fail (code_size <= LZW_CODE_MAX, NULL);
++
+         self = g_object_new (lzw_decoder_get_type (), NULL);
+ 
+         self->min_code_size = code_size;
+-- 
+2.27.0
diff --git a/gdk-pixbuf2.spec b/gdk-pixbuf2.spec
index d403b3a3eed29f078a4419b47fc7ee9a9569a8d4..ac2db7f37a50342d99fe9238067f1c1a9610e481 100644
--- a/gdk-pixbuf2.spec
+++ b/gdk-pixbuf2.spec
@@ -1,15 +1,17 @@
 Name:           gdk-pixbuf2
 Version:        2.40.0
-Release:        4
+Release:        5
 Summary:        gdk is a multi-platform toolkit for creating graphical user interfaces.
 
 License:        LGPLv2+
 URL:            http://www.gtk.org
 Source0:        http://download.gnome.org/sources/gdk-pixbuf/2.40/gdk-pixbuf-%{version}.tar.xz
+Source1:        invalid-colors.gif
 
 Patch0001:	backport-CVE-2021-20240.patch
 Patch0002:	backport-CVE-2020-29385.patch
 Patch0003:	backport-CVE-2021-46829.patch
+Patch0004:	backport-CVE-2021-44648.patch
 
 BuildRequires:  gettext gtk-doc pkgconfig(gio-2.0) >= 2.48.0 libpng-devel libjpeg-devel libtiff-devel shared-mime-info
 BuildRequires:  meson pkgconfig(x11) pkgconfig(gobject-introspection-1.0) >= 0.9.3 gobject-introspection-devel libxslt gdb
@@ -46,6 +48,7 @@ developing applications that uses gdk-pixbuf2 xlib and test.
 
 %prep
 %autosetup -n gdk-pixbuf-%{version} -p1
+cp %{SOURCE1} ./tests/test-images/gif-test-suite/invalid-colors.gif
 
 %build
 %meson -Dbuiltin_loaders=png -Ddocs=true 
@@ -102,6 +105,9 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
 %{_mandir}/man1/gdk-pixbuf-csource.1*
 
 %changelog
+* Tue Jun 20 2023 zhangpan <zhangpan103@h-partners.com> - 2.40.0-5
+- fix CVE-2021-44648
+
 * Fri Mar 17 2023 zhangpan <zhangpan103@h-partners.com> - 2.40.0-4
 - enable test
 
diff --git a/invalid-colors.gif b/invalid-colors.gif
new file mode 100644
index 0000000000000000000000000000000000000000..6c3a7240e6ba58c344051351eb3581887fa314c7
Binary files /dev/null and b/invalid-colors.gif differ