diff --git a/backport-CVE-2022-2476.patch b/backport-CVE-2022-2476.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7289386d9fc218b04637bd8a7bdc6bbf90756844
--- /dev/null
+++ b/backport-CVE-2022-2476.patch
@@ -0,0 +1,57 @@
+From 25b4a2725d8568212e7cf89ca05ca29d128af7ac Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Tue, 5 Jul 2022 18:58:19 -0700
+Subject: [PATCH] issue #121: NULL pointer dereference in wvunpack.c
+
+* check for NULL pointer before dereferencing in wvunpack.c
+* sanitize custom extensions to be alphanumeric only
+---
+ cli/wvunpack.c   |  6 ++++--
+ src/open_utils.c | 10 ++++++++--
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/cli/wvunpack.c b/cli/wvunpack.c
+index c8dea624..9a5a49aa 100644
+--- a/cli/wvunpack.c
++++ b/cli/wvunpack.c
+@@ -907,8 +907,10 @@ int main(int argc, char **argv)
+ 
+             // clean up in preparation for potentially another file
+ 
+-            if (outpath)
+-                *filespec_name (outfilename) = '\0';
++            if (outpath) {
++                if (filespec_name (outfilename))
++                    *filespec_name (outfilename) = '\0';
++            }
+             else if (*outfilename != '-') {
+                 free (outfilename);
+                 outfilename = NULL;
+diff --git a/src/open_utils.c b/src/open_utils.c
+index 3e14de50..795471eb 100644
+--- a/src/open_utils.c
++++ b/src/open_utils.c
+@@ -18,6 +18,7 @@
+ 
+ #include <stdlib.h>
+ #include <string.h>
++#include <ctype.h>
+ 
+ #include "wavpack_local.h"
+ 
+@@ -796,8 +797,13 @@ static int process_metadata (WavpackContext *wpc, WavpackMetadata *wpmd)
+ 
+         case ID_ALT_EXTENSION:
+             if (wpmd->byte_length && wpmd->byte_length < sizeof (wpc->file_extension)) {
+-                memcpy (wpc->file_extension, wpmd->data, wpmd->byte_length);
+-                wpc->file_extension [wpmd->byte_length] = 0;
++                int i, j;
++
++                for (i = j = 0; i < wpmd->byte_length; ++i)
++                    if (isalnum (((char *) wpmd->data) [i]))
++                        wpc->file_extension [j++] = ((char *) wpmd->data) [i];
++
++                wpc->file_extension [j] = 0;
+             }
+ 
+             return TRUE;
diff --git a/wavpack.spec b/wavpack.spec
index 9e5845bb92bb2bee69345558f1debc4b891b647d..d871efd2e8362eabd91425bfd3b8a7a93084d883 100644
--- a/wavpack.spec
+++ b/wavpack.spec
@@ -1,11 +1,12 @@
 Name:           wavpack
 Version:        5.3.0
-Release:        2
+Release:        3
 Summary:        Hybrid Lossless Wavefile Compressor
 License:        BSD
 Url:            http://www.wavpack.com/
 Source:         https://github.com/dbry/WavPack/releases/download/%{version}/%{name}-%{version}.tar.xz
 Patch0000:      CVE-2020-35738.patch
+Patch0001:      backport-CVE-2022-2476.patch
 
 BuildRequires:  autoconf automake libtool
 
@@ -66,6 +67,9 @@ autoreconf -ivf
 %{_mandir}/man1/*.1*
 
 %changelog
+* Fri Nov 29 2024 Funda Wang <fundawang@yeah.net> - 5.3.0-3
+- fix CVE-2022-2476
+
 * Thu Mar 4 2021 wangxiao <wangxiao65@huawei.com> - 5.3.0-2
 - Fix CVE-2020-35738