diff --git a/CVE-2021-32493.patch b/CVE-2021-32493.patch
new file mode 100644
index 0000000..1f7fa17
--- /dev/null
+++ b/CVE-2021-32493.patch
@@ -0,0 +1,21 @@
+diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
+index c2fdbe4..e271a1d 100644
+--- a/libdjvu/GBitmap.cpp
++++ b/libdjvu/GBitmap.cpp
+@@ -69,6 +69,7 @@
+ #include <stddef.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <climits>
+ 
+ // - Author: Leon Bottou, 05/1997
+ 
+@@ -1284,6 +1285,8 @@ GBitmap::decode(unsigned char *runs)
+   // initialize pixel array
+   if (nrows==0 || ncolumns==0)
+     G_THROW( ERR_MSG("GBitmap.not_init") );
++  if (ncolumns > USHRT_MAX - border)
++    G_THROW("GBitmap: row size exceeds maximum (corrupted file?)");
+   bytes_per_row = ncolumns + border;
+   if (runs==0)
+     G_THROW( ERR_MSG("GBitmap.null_arg") );
diff --git a/CVE-2021-3500.patch b/CVE-2021-3500.patch
new file mode 100644
index 0000000..420aefb
--- /dev/null
+++ b/CVE-2021-3500.patch
@@ -0,0 +1,36 @@
+diff --git a/libdjvu/DjVuPort.cpp b/libdjvu/DjVuPort.cpp
+index 2b3e0d2..ede7f6b 100644
+--- a/libdjvu/DjVuPort.cpp
++++ b/libdjvu/DjVuPort.cpp
+@@ -507,10 +507,19 @@ GP<DjVuFile>
+ DjVuPortcaster::id_to_file(const DjVuPort * source, const GUTF8String &id)
+ {
+    GPList<DjVuPort> list;
++
++   if (!!opening_id && opening_id == id)
++      G_THROW( ERR_MSG("DjVuPortcaster.recursive_open") );
++   else
++      opening_id = id;
++
+    compute_closure(source, list, true);
+    GP<DjVuFile> file;
+    for(GPosition pos=list;pos;++pos)
+       if ((file=list[pos]->id_to_file(source, id))) break;
++
++   opening_id = GUTF8String();
++
+    return file;
+ }
+ 
+diff --git a/libdjvu/DjVuPort.h b/libdjvu/DjVuPort.h
+index e2b3125..313dc2b 100644
+--- a/libdjvu/DjVuPort.h
++++ b/libdjvu/DjVuPort.h
+@@ -484,6 +484,7 @@ private:
+                        const DjVuPort *dst, int distance);
+    void compute_closure(const DjVuPort *src, GPList<DjVuPort> &list,
+                         bool sorted=false);
++   GUTF8String opening_id;
+ };
+ 
+ 
diff --git a/djvulibre.spec b/djvulibre.spec
index c2336c6..200ad7a 100644
--- a/djvulibre.spec
+++ b/djvulibre.spec
@@ -1,7 +1,7 @@
 Name:             djvulibre
 Summary:          An open source (GPL'ed) implementation of DjVu
 Version:          3.5.27
-Release:          15
+Release:          16
 License:          GPLv2+
 URL:              http://djvu.sourceforge.net/
 Source0:          http://downloads.sourceforge.net/djvu/djvulibre-%{version}.tar.gz
@@ -12,6 +12,8 @@ Patch3:           CVE-2019-15144.patch
 Patch4:           CVE-2019-15145.patch
 Patch5:           CVE-2019-18804.patch
 Patch6:           update-any2djvu-server-hostname.patch
+Patch7:           CVE-2021-32493.patch
+Patch8:           CVE-2021-3500.patch
 Requires(post):   xdg-utils
 Requires(preun):  xdg-utils
 BuildRequires:    libjpeg-turbo-devel libtiff-devel xdg-utils chrpath hicolor-icon-theme gcc-c++
@@ -94,6 +96,9 @@ rm -f %{_datadir}/icons/hicolor/32x32/apps/djvulibre-djview3.png || :
 %{_mandir}/man1/*
 
 %changelog
+* Wen Jun 30 2021 houyingchao <houyingchao@huawei.com> - 3.5.27-16
+- Fix CVE-2021-32493 CVE-2021-3500
+
 * Thu Jan 28 2021 lingsheng <lingsheng@huawei.com> - 3.5.27-15
 - update any2djvu server hostname