diff --git a/flac-cve-2020-0499.patch b/flac-cve-2020-0499.patch
new file mode 100644
index 0000000..712294a
--- /dev/null
+++ b/flac-cve-2020-0499.patch
@@ -0,0 +1,23 @@
+commit 2e7931c27eb15e387da440a37f12437e35b22dd4
+Author: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date:   Mon Oct 7 12:55:58 2019 +1100
+
+    libFLAC/bitreader.c: Fix out-of-bounds read
+    
+    Credit: Oss-Fuzz
+    Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17069
+    Testcase: fuzzer_decoder-5670265022840832
+
+diff --git a/src/libFLAC/bitreader.c b/src/libFLAC/bitreader.c
+index 5e4b5918..3df4d02c 100644
+--- a/src/libFLAC/bitreader.c
++++ b/src/libFLAC/bitreader.c
+@@ -869,7 +869,7 @@ incomplete_lsbs:
+ 			cwords = br->consumed_words;
+ 			words = br->words;
+ 			ucbits = FLAC__BITS_PER_WORD - br->consumed_bits;
+-			b = br->buffer[cwords] << br->consumed_bits;
++			b = cwords < br->capacity ? br->buffer[cwords] << br->consumed_bits : 0;
+ 		} while(cwords >= words && val < end);
+ 	}
+ 
diff --git a/flac.spec b/flac.spec
index 87b4ac7..1d928f9 100644
--- a/flac.spec
+++ b/flac.spec
@@ -8,7 +8,7 @@
 Summary: An encoder/decoder for the Free Lossless Audio Codec
 Name: flac
 Version: 1.3.3
-Release: 3.1%{?dist}
+Release: 4%{?dist}
 License: BSD and GPLv2+ and GFDL
 Source0: https://downloads.xiph.org/releases/flac/flac-%{version}.tar.xz
 URL: https://www.xiph.org/flac/
@@ -23,6 +23,9 @@ Source1: xmms-flac.desktop
 # 2.0 supports symbol visibility
 BuildRequires: nasm >= 2.0
 %endif
+BuildRequires: make
+
+Patch1: flac-cve-2020-0499.patch
 
 %description
 FLAC stands for Free Lossless Audio Codec. Grossly oversimplified, FLAC
@@ -71,6 +74,7 @@ This is the input plugin for XMMS to be able to read FLAC files.
 
 %prep
 %setup -q
+%patch1 -p1 -b .cve-2020-0499
 
 %build
 # use our libtool to avoid problems with RPATH
@@ -139,8 +143,8 @@ make check
 %endif
 
 %changelog
-* Sat Dec 19 2020 Petr Šabata <contyk@redhat.com> - 1.3.3-3.1
-- Bump for gcc11
+* Thu Jan 07 2021 Miroslav Lichvar <mlichvar@redhat.com> 1.3.3-4
+- fix out-of-bounds read in decoder (CVE-2020-0499)
 
 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.3-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild