diff --git a/CVE-2020-13113.patch b/backport-CVE-2020-13113.patch
similarity index 100%
rename from CVE-2020-13113.patch
rename to backport-CVE-2020-13113.patch
diff --git a/backport-CVE-2020-13114.patch b/backport-CVE-2020-13114.patch
new file mode 100644
index 0000000..369ca85
--- /dev/null
+++ b/backport-CVE-2020-13114.patch
@@ -0,0 +1,58 @@
+From eeec66abade83264169872acfbe14ed0e1e68d9d Mon Sep 17 00:00:00 2001
+From: yangcheng1203 <yangcheng87@huawei.com>
+Date: Mon, 26 Jul 2021 14:37:06 +0800
+Subject: [PATCH] CVE-2020-13114
+
+---
+ libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
+index eb53598..3d8c790 100644
+--- a/libexif/canon/exif-mnote-data-canon.c
++++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -32,6 +32,9 @@
+ 
+ #define DEBUG
+ 
++/* Total size limit to prevent abuse by DoS */
++#define FAILSAFE_SIZE_MAX 1000000L
++
+ static void
+ exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
+ {
+@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+ 	ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
+ 	ExifShort c;
+ 	size_t i, tcount, o, datao;
++        long failsafe_size = 0;
+ 
+ 	if (!n || !buf || !buf_size) {
+ 		exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+ 			memcpy (n->entries[tcount].data, buf + dataofs, s);
+ 		}
+ 
++		/* Track the size of decoded tag data. A malicious file could
++		* be crafted to cause extremely large values here without
++		* tripping any buffer range checks.  This is especially bad
++		* with the libexif representation of Canon MakerNotes because
++		* some arrays are turned into individual tags that the
++		* application must loop around. */
++		failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
++
++		if (failsafe_size > FAILSAFE_SIZE_MAX) {
++			/* Abort if the total size of the data in the tags extraordinarily large, */
++			exif_mem_free (ne->mem, n->entries[tcount].data);
++			exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
++					  "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
++					  failsafe_size, FAILSAFE_SIZE_MAX);
++			break;
++		}
++
+ 		/* Tag was successfully parsed */
+ 		++tcount;
+ 	}
+-- 
+1.8.3.1
+
diff --git a/libexif.spec b/libexif.spec
index d0d849b..1266dea 100644
--- a/libexif.spec
+++ b/libexif.spec
@@ -14,7 +14,8 @@ Patch6004:	libexif-bugfix-integer-overflow.patch
 Patch6005: 	libexif-bugfix-unsigned-int.patch
 Patch6006:	libexif-bugfix-overflow.patch
 Patch6007:      libexif-bugfix-large-loop-in-exif_loader_get_data.patch
-Patch6008:      CVE-2020-13113.patch
+Patch6008:      backport-CVE-2020-13113.patch
+Patch6009:      backport-CVE-2020-13114.patch
 Patch9001:	libexif-bugfix-integer-overflow-pentax.patch
 
 BuildRequires:  autoconf automake doxygen gettext-devel libtool pkgconfig git
@@ -73,11 +74,11 @@ make check
 %doc libexif-api.html NEWS
 
 %changelog
-* Mon Jul 26 202 yangcheng <yangcheng87@huawei.com> - 0.6.21-22
+* Mon Jul 26 2021 yangcheng <yangcheng87@huawei.com> - 0.6.21-22
 - Type:CVE
-- Id:CVE-2020-13113
+- Id:CVE-2020-13113,CVE-2020-13114
 - SUG:NA
-- DESC:fix CVE-2020-13113
+- DESC:fix CVE-2020-13113 CVE-2020-13114
 
 * Sat Aug 8 2020 yanan <yanan@huawei.com> - 0.6.21-21
 - Type:bugfix