diff --git a/CVE-2021-20304.patch b/CVE-2021-20304.patch
new file mode 100644
index 0000000000000000000000000000000000000000..75a33e433c8f8f788dcf4e118a7fea368f50d239
--- /dev/null
+++ b/CVE-2021-20304.patch
@@ -0,0 +1,176 @@
+diff -Nur openexr-2.2.0-old/IlmImf/ImfHuf.cpp openexr-2.2.0/IlmImf/ImfHuf.cpp
+--- openexr-2.2.0-old/IlmImf/ImfHuf.cpp	2022-08-17 15:20:22.318533447 +0800
++++ openexr-2.2.0/IlmImf/ImfHuf.cpp	2022-08-17 15:21:35.495110223 +0800
+@@ -897,6 +897,11 @@
+ 		//
+ 
+ 		lc -= pl.len;
++
++		if ( lc < 0 )
++		{
++			invalidCode(); // code length too long
++		}
+ 		getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
+ 	    }
+ 	    else
+@@ -954,6 +959,10 @@
+ 	if (pl.len)
+ 	{
+ 	    lc -= pl.len;
++            if ( lc < 0 )
++            {
++   	        invalidCode(); // code length too long
++            }
+ 	    getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
+ 	}
+ 	else
+diff -Nur openexr-2.2.0-old/IlmImfTest/testHuf.cpp openexr-2.2.0/IlmImfTest/testHuf.cpp
+--- openexr-2.2.0-old/IlmImfTest/testHuf.cpp	2022-08-17 15:20:22.338533604 +0800
++++ openexr-2.2.0/IlmImfTest/testHuf.cpp	2022-08-17 15:22:57.471756360 +0800
+@@ -180,67 +180,86 @@
+ 
+ 	IMATH_NAMESPACE::Rand48 rand48 (0);
+ 
+-	const int N = 1000000;
+-	Array <unsigned short> raw (N);
++        //
++        // FastHufDecoder is used for more than 128 bits, so first test with fewer than 128 bits,
++        // then test FastHufDecoder
++        //
++        for (int pass = 0 ; pass < 2 ; ++pass)
++        {
++
++            int N = pass==0 ? 12 : 1000000;
++            Array <unsigned short> raw (N);
++
++            fill1 (raw, N, 1, rand48);	  // test various symbol distributions
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill1 (raw, N, 10, rand48);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill1 (raw, N, 100, rand48);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill1 (raw, N, 1000, rand48);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++
++            fill2 (raw, N, 1, rand48);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill2 (raw, N, 10, rand48);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill2 (raw, N, 100, rand48);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill2 (raw, N, 1000, rand48);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++
++            fill3 (raw, N, 0);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill3 (raw, N, 1);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill3 (raw, N, USHRT_MAX - 1);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill3 (raw, N, USHRT_MAX);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++
++            if (pass==1)
++            {
++                fill4 (raw, USHRT_MAX + 1);
++                compressVerify(raw, USHRT_MAX + 1, HUF_COMPRESS_DEK_HASH_FOR_FILL4_USHRT_MAX_PLUS_ONE);
++
++                compressUncompress (raw, USHRT_MAX + 1);
++                compressUncompressSubset (raw, USHRT_MAX + 1);
++                fill4 (raw, N);
++                compressVerify(raw, N, HUF_COMPRESS_DEK_HASH_FOR_FILL4_N);
++            }
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++
++            fill4 (raw, 0);
++            compressUncompress (raw, 0);	// test small input data sets
++            fill4 (raw, 1);
++            compressUncompress (raw, 1);
++            fill4 (raw, 2);
++            compressUncompress (raw, 2);
++            fill4 (raw, 3);
++            compressUncompress (raw, 3);
++
++            fill5 (raw, N);			// test run-length coding of code table
++            if (pass==1)
++            {
++                compressVerify(raw, N, HUF_COMPRESS_DEK_HASH_FOR_FILL5_N);
++            }
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
+ 
+-	fill1 (raw, N, 1, rand48);	  // test various symbol distributions
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill1 (raw, N, 10, rand48);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill1 (raw, N, 100, rand48);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill1 (raw, N, 1000, rand48);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-
+-	fill2 (raw, N, 1, rand48);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill2 (raw, N, 10, rand48);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill2 (raw, N, 100, rand48);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill2 (raw, N, 1000, rand48);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-
+-	fill3 (raw, N, 0);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill3 (raw, N, 1);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill3 (raw, N, USHRT_MAX - 1);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill3 (raw, N, USHRT_MAX);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-
+-	fill4 (raw, USHRT_MAX + 1);
+-	compressUncompress (raw, USHRT_MAX + 1);
+-	compressUncompressSubset (raw, USHRT_MAX + 1);
+-	fill4 (raw, N);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-
+-	fill4 (raw, 0);
+-	compressUncompress (raw, 0);	// test small input data sets
+-	fill4 (raw, 1);
+-	compressUncompress (raw, 1);
+-	fill4 (raw, 2);
+-	compressUncompress (raw, 2);
+-	fill4 (raw, 3);
+-	compressUncompress (raw, 3);
+-
+-	fill5 (raw, N);			// test run-length coding of code table
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
++        }
+ 
+ 	cout << "ok\n" << endl;
+     }
diff --git a/OpenEXR.spec b/OpenEXR.spec
index 127d5f52966238a7a5f32964d2a6f44d655de1bd..90ff1dd1c899ad967bf5baddd31c6e3b867af03f 100644
--- a/OpenEXR.spec
+++ b/OpenEXR.spec
@@ -37,6 +37,7 @@ Patch0024:      CVE-2021-20300.patch
 Patch0025:      CVE-2021-20302.patch
 #https://github.com/AcademySoftwareFoundation/openexr/commit/5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17
 Patch0026:      CVE-2021-3933.patch
+Patch1101:      CVE-2021-20304.patch
 
 BuildConflicts: %{name}-devel < 2.2.0
 BuildRequires:  gcc-c++ ilmbase-devel >= %{version} zlib-devel pkgconfig
@@ -100,6 +101,9 @@ test "$(pkg-config --modversion OpenEXR)" = "%{version}"
 %{_libdir}/pkgconfig/OpenEXR.pc
 
 %changelog
+* Thu Aug 18 2022 mayp <mayanping@ncti-gba.cn> - 2.2.0-27
+- Fix CVE-2021-20304
+
 * Fri Jul 15 2022 weichao.zhang <weichao.zhang@epro.com.cn> - 2.2.0-26
 - Fix CVE-2021-20300 CVE-2021-20302 CVE-2021-3933 
 
@@ -109,8 +113,8 @@ test "$(pkg-config --modversion OpenEXR)" = "%{version}"
 * Fri Mar 11 2022 yaoxin <yaoxin30@huawei.com> - 2.2.0-24
 - Fix CVE-2021-20303
 
-* Wed Sat 1 2021 liwu<liwu13@huawei.com> - 2.2.0-23
-- fix CVE-2021-3605
+* Wed Sep 1 2021 liwu <liwu13@huawei.com> - 2.2.0-23
+- Fix CVE-2021-3605
 
 * Mon Jul 12 2021 yaoxin <yaoxin30@huawei.com> - 2.2.0-22
 - fix CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765 CVE-2020-15305 CVE-2020-15306