diff --git a/CVE-2021-20304.patch b/CVE-2021-20304.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f79e6e593aa259bedb5d93f2ff451ef9dc523a7a
--- /dev/null
+++ b/CVE-2021-20304.patch
@@ -0,0 +1,192 @@
+From c78042065812cb58ca51f331159d46415e66db8d Mon Sep 17 00:00:00 2001
+From: mayp <mayanping@ncti-gba.cn>
+Date: Thu, 18 Aug 2022 16:49:57 +0800
+Subject: [PATCH] Fix CVE-2021-20304
+
+---
+ IlmImf/ImfHuf.cpp      |   9 +++
+ IlmImfTest/testHuf.cpp | 141 +++++++++++++++++++++++------------------
+ 2 files changed, 89 insertions(+), 61 deletions(-)
+
+diff --git a/IlmImf/ImfHuf.cpp b/IlmImf/ImfHuf.cpp
+index aa708a8..82af799 100644
+--- a/IlmImf/ImfHuf.cpp
++++ b/IlmImf/ImfHuf.cpp
+@@ -897,6 +897,11 @@ hufDecode
+ 		//
+ 
+ 		lc -= pl.len;
++
++		if ( lc < 0 )
++		{
++			invalidCode(); // code length too long
++		}
+ 		getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
+ 	    }
+ 	    else
+@@ -954,6 +959,10 @@ hufDecode
+ 	if (pl.len)
+ 	{
+ 	    lc -= pl.len;
++            if ( lc < 0 )
++            {
++   	        invalidCode(); // code length too long
++            }
+ 	    getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
+ 	}
+ 	else
+diff --git a/IlmImfTest/testHuf.cpp b/IlmImfTest/testHuf.cpp
+index d2728fb..10d3906 100644
+--- a/IlmImfTest/testHuf.cpp
++++ b/IlmImfTest/testHuf.cpp
+@@ -180,67 +180,86 @@ testHuf (const std::string&)
+ 
+ 	IMATH_NAMESPACE::Rand48 rand48 (0);
+ 
+-	const int N = 1000000;
+-	Array <unsigned short> raw (N);
+-
+-	fill1 (raw, N, 1, rand48);	  // test various symbol distributions
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill1 (raw, N, 10, rand48);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill1 (raw, N, 100, rand48);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill1 (raw, N, 1000, rand48);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-
+-	fill2 (raw, N, 1, rand48);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill2 (raw, N, 10, rand48);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill2 (raw, N, 100, rand48);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill2 (raw, N, 1000, rand48);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-
+-	fill3 (raw, N, 0);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill3 (raw, N, 1);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill3 (raw, N, USHRT_MAX - 1);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-	fill3 (raw, N, USHRT_MAX);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-
+-	fill4 (raw, USHRT_MAX + 1);
+-	compressUncompress (raw, USHRT_MAX + 1);
+-	compressUncompressSubset (raw, USHRT_MAX + 1);
+-	fill4 (raw, N);
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
+-
+-	fill4 (raw, 0);
+-	compressUncompress (raw, 0);	// test small input data sets
+-	fill4 (raw, 1);
+-	compressUncompress (raw, 1);
+-	fill4 (raw, 2);
+-	compressUncompress (raw, 2);
+-	fill4 (raw, 3);
+-	compressUncompress (raw, 3);
+-
+-	fill5 (raw, N);			// test run-length coding of code table
+-	compressUncompress (raw, N);
+-	compressUncompressSubset (raw, N);
++        //
++        // FastHufDecoder is used for more than 128 bits, so first test with fewer than 128 bits,
++        // then test FastHufDecoder
++        //
++        for (int pass = 0 ; pass < 2 ; ++pass)
++        {
++
++            int N = pass==0 ? 12 : 1000000;
++            Array <unsigned short> raw (N);
++
++            fill1 (raw, N, 1, rand48);	  // test various symbol distributions
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill1 (raw, N, 10, rand48);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill1 (raw, N, 100, rand48);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill1 (raw, N, 1000, rand48);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++
++            fill2 (raw, N, 1, rand48);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill2 (raw, N, 10, rand48);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill2 (raw, N, 100, rand48);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill2 (raw, N, 1000, rand48);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++
++            fill3 (raw, N, 0);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill3 (raw, N, 1);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill3 (raw, N, USHRT_MAX - 1);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++            fill3 (raw, N, USHRT_MAX);
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++
++            if (pass==1)
++            {
++                fill4 (raw, USHRT_MAX + 1);
++                compressVerify(raw, USHRT_MAX + 1, HUF_COMPRESS_DEK_HASH_FOR_FILL4_USHRT_MAX_PLUS_ONE);
++
++                compressUncompress (raw, USHRT_MAX + 1);
++                compressUncompressSubset (raw, USHRT_MAX + 1);
++                fill4 (raw, N);
++                compressVerify(raw, N, HUF_COMPRESS_DEK_HASH_FOR_FILL4_N);
++            }
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++
++            fill4 (raw, 0);
++            compressUncompress (raw, 0);	// test small input data sets
++            fill4 (raw, 1);
++            compressUncompress (raw, 1);
++            fill4 (raw, 2);
++            compressUncompress (raw, 2);
++            fill4 (raw, 3);
++            compressUncompress (raw, 3);
++
++            fill5 (raw, N);			// test run-length coding of code table
++            if (pass==1)
++            {
++                compressVerify(raw, N, HUF_COMPRESS_DEK_HASH_FOR_FILL5_N);
++            }
++            compressUncompress (raw, N);
++            compressUncompressSubset (raw, N);
++
++        }
+ 
+ 	cout << "ok\n" << endl;
+     }
+-- 
+2.33.0
+
diff --git a/OpenEXR.spec b/OpenEXR.spec
index 6f4d464f7a888cb46bc4ba5ad43b252071d98e2c..9411986430260d0890dd48c07d625af50018ebaa 100644
--- a/OpenEXR.spec
+++ b/OpenEXR.spec
@@ -1,7 +1,7 @@
 Name:           OpenEXR
 Summary:        A high dynamic-range (HDR) image file format for use in computer imaging applications
 Version:        2.2.0
-Release:        26
+Release:        27
 License:        BSD
 URL:	        http://www.openexr.com/
 Source0:        http://download.savannah.nongnu.org/releases/openexr/openexr-%{version}.tar.gz
@@ -37,6 +37,7 @@ Patch0024:      CVE-2021-20300.patch
 Patch0025:      CVE-2021-20302.patch
 #https://github.com/AcademySoftwareFoundation/openexr/commit/5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17
 Patch0026:      CVE-2021-3933.patch
+Patch0027:      CVE-2021-20304.patch
 
 BuildConflicts: %{name}-devel < 2.2.0
 BuildRequires:  gcc-c++ ilmbase-devel >= %{version} zlib-devel pkgconfig
@@ -100,6 +101,9 @@ test "$(pkg-config --modversion OpenEXR)" = "%{version}"
 %{_libdir}/pkgconfig/OpenEXR.pc
 
 %changelog
+* Thu Aug 18 2022 mayp <mayanping@ncti-gba.cn> - 2.2.0-27
+- Fix CVE-2021-20304 
+
 * Fri Jul 15 2022 weichao.zhang <weichao.zhang@epro.com.cn> - 2.2.0-26
 - Fix CVE-2021-20300 CVE-2021-20302 CVE-2021-3933