diff --git a/fix-CVE-2024-39133.patch b/fix-CVE-2024-39133.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ce049200c8853f4d43b4f7669f41a314a52775ed
--- /dev/null
+++ b/fix-CVE-2024-39133.patch
@@ -0,0 +1,31 @@
+From 550e30e76a550d933fe72fc14209403c48d5f5bf Mon Sep 17 00:00:00 2001
+From: vlefebvre <valentin.lefebvre@suse.com>
+Date: Tue, 6 Aug 2024 16:01:02 +0200
+Subject: [PATCH] parse_root_dir: Verify size of extra obtained
+Reference:https://github.com/keentux/zziplib/commit/550e30e76a550d933fe72fc14209403c48d5f5bf
+
+* Fix the issue #164 where extra_ptr could be alocated without enough
+  bytes to check the magic value.
+
+Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
+---
+ zzip/zip.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index 56b5966..d4c447e 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -524,7 +524,8 @@ __zzip_parse_root_directory(int fd, struct _disk_trailer* trailer, struct zzip_d
+         hdr->d_namlen         = u_namlen;
+ 
+         /* looking for ZIP64 extras when csize on intmax */
+-        if (u_extras && (hdr->d_csize & 0xFFFFu == 0xFFFFu)) {
++        if (u_extras >= __sizeof(struct zzip_extra_zip64) &&
++            (hdr->d_csize & 0xFFFFu == 0xFFFFu)) {
+             DBG3("%i extras bytes (%i)", u_extras, sizeof(struct zzip_extra_zip64));
+             zzip_off64_t zz_extras = zz_offset + sizeof(*d) + u_namlen;
+             zzip_byte_t* extras_ptr;
+-- 
+2.27.0
+
diff --git a/zziplib.spec b/zziplib.spec
index 93bd5ed4092ae13cff02aa78b7dd6eac22dae09e..04448fd7bd1fd72033752f09422b8c9cd27ee422 100644
--- a/zziplib.spec
+++ b/zziplib.spec
@@ -1,12 +1,13 @@
 Name:            zziplib
 Version:         0.13.74
-Release:         2
+Release:         3
 Summary:         Lightweight library for zip compression
 License:         LGPLv2+ or MPLv1.1
 URL:             http://zziplib.sourceforge.net
 Source0:         https://github.com/gdraheim/zziplib/archive/refs/tags/v0.13.74.tar.gz
 
 Patch0001:       fix-CVE-2024-39134.patch
+Patch0002:       fix-CVE-2024-39133.patch
 
 BuildRequires:   perl-interpreter  zip xmlto
 BuildRequires:   zlib-devel SDL-devel pkgconfig autoconf automake gcc make
@@ -71,6 +72,9 @@ This package includes help documentation and manuals related to zziplib.
 %{_mandir}/man3/*
 
 %changelog
+* Mon Aug 12 2024 baiguo <baiguo@kylinos.cn> - 0.13.74-3
+- fix CVE-2024-39133
+
 * Fri Aug 9 2024 baiguo <baiguo@kylinos.cn> - 0.13.74-2
 - fix CVE-2024-39134