diff --git a/CVE-2021-33641.patch b/CVE-2021-33641.patch
new file mode 100644
index 0000000..5a601d5
--- /dev/null
+++ b/CVE-2021-33641.patch
@@ -0,0 +1,55 @@
+From 162549f599c4460bcefc1526cfa014fec626ebc5 Mon Sep 17 00:00:00 2001
+From: zhoupengcheng <zhoupengcheng11@huawei.com>
+Date: Sat, 26 Nov 2022 18:27:48 +0800
+
+Subject: [PATCH] fix CVE-2021-33641
+
+the global variable:cptr use-after-free in  more_curly(),
+save original line in more_curly() in case get new line to fix
+CVE-2021-33641.
+---
+ reader.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/reader.c b/reader.c
+index 37dc2cb..2a1dfe5 100644
+--- a/reader.c
++++ b/reader.c
+@@ -1027,9 +1027,16 @@ trim_blanks(char *buffer)
+ static int
+ more_curly(void)
+ {
+-    char *save = cptr;
++    
+     int result = 0;
+     int finish = 0;
++    FILE *f = input_file;
++    long int old_pos = ftell(f); 
++    int save_linesize = linesize;
++    char *save_line = TMALLOC(char, linesize);
++    NO_SPACE(save_line);
++    char *save_cptr = save_line + (cptr - line);
++    memcpy(save_line, line, linesize);
+     do
+     {
+ 	switch (next_inline())
+@@ -1046,7 +1053,15 @@ more_curly(void)
+ 	++cptr;
+     }
+     while (!finish);
+-    cptr = save;
++
++    // in case of next_inline malloc new line space 
++    free(line);
++    cptr = save_cptr;
++    line = save_line;
++    linesize = save_linesize;
++    // Since get_line also move the postion in file forward
++    //  we need to move it back
++    fseek(f, old_pos, SEEK_SET);
+     return result;
+ }
+ 
+-- 
+2.27.0
+
diff --git a/CVE-2021-33642.patch b/CVE-2021-33642.patch
new file mode 100644
index 0000000..44afe8f
--- /dev/null
+++ b/CVE-2021-33642.patch
@@ -0,0 +1,44 @@
+From ab5ee87cbbe1b94a45d5c7974b321e2ee78d1238 Mon Sep 17 00:00:00 2001
+From: zhoupengcheng <zhoupengcheng11@huawei.com>
+Date: Sat, 26 Nov 2022 18:27:48 +0800
+Subject: [PATCH] fix CVE-2021-33642
+
+next_inline() return EOF cause infinite loop in more_curly(),
+Add EOF case in more_curly(), don't allow multiple line.
+---
+ reader.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/reader.c b/reader.c
+index 2a1dfe5..6a9bb7c 100644
+--- a/reader.c
++++ b/reader.c
+@@ -1030,8 +1030,10 @@ more_curly(void)
+     
+     int result = 0;
+     int finish = 0;
++    int c;
+     FILE *f = input_file;
+     long int old_pos = ftell(f); 
++    long int new_pos = old_pos;
+     int save_linesize = linesize;
+     char *save_line = TMALLOC(char, linesize);
+     NO_SPACE(save_line);
+@@ -1039,7 +1041,13 @@ more_curly(void)
+     memcpy(save_line, line, linesize);
+     do
+     {
+-	switch (next_inline())
++	c = next_inline();
++	// Don't allow multiple line, so we use file position to check
++	// Only get_line() will move file postion forward
++	new_pos = ftell(f);
++	if (c == (EOF) || old_pos != new_pos)
++	    break;
++	switch (c)
+ 	{
+ 	case 0:
+ 	case '\n':
+-- 
+2.27.0
+
diff --git a/byacc.spec b/byacc.spec
index 2458645..271f506 100644
--- a/byacc.spec
+++ b/byacc.spec
@@ -2,12 +2,15 @@
 
 Name:           byacc
 Version:        2.0.%{byaccdate}
-Release:        4
+Release:        5
 Summary:        A parser generator
 License:        public domain
 URL:            https://invisible-island.net/byacc/byacc.html
 Source0:        https://invisible-mirror.net/archives/byacc/byacc-%{byaccdate}.tgz
 
+Patch9000:	CVE-2021-33641.patch
+Patch9001:	CVE-2021-33642.patch
+
 BuildRequires:  gcc
 
 %description
@@ -45,6 +48,9 @@ make check
 %{_mandir}/man1/*
 
 %changelog
+* Mon Dec 26 2022 zhoupengcheng <zhoupengcheng11@huawei.com> - 2.0.20210808-5
+- fix CVE-2021-33641 and CVE-2021-33642
+
 * Sat Dec 24 2022 chenmaodong <chenmaodong@xfusion.com> - 2.0.20210808-4
 - Modify changelog error