diff --git a/orc-check-return-value-of-vasprintf.patch b/orc-check-return-value-of-vasprintf.patch
new file mode 100644
index 0000000..177ace9
--- /dev/null
+++ b/orc-check-return-value-of-vasprintf.patch
@@ -0,0 +1,54 @@
+From 13ad22b4bc75feb71cefc6b9c0c9cb81ff8c73c4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 5 Aug 2024 13:35:03 +0300
+Subject: [PATCH] Check return value of vasprintf()
+
+With glibc, on allocation failure it doesn't set the pointer to NULL but instead
+conveniently leaves it undefined.
+
+The BSD version is defined in a better way and sets the pointer to NULL to avoid
+further footguns.
+
+Simply abort() on allocation failure. In the other code paths where malloc() is
+used, allocation failures are not checked like everywhere else in orc but it is
+assumed that dereferencing a NULL pointer simply crashes the process.
+Technically this is of course still undefined behaviour.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/orc/-/merge_requests/199>
+---
+ orc/orccompiler.c | 3 ++-
+ orc/orcparse.c    | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/orc/orccompiler.c b/orc/orccompiler.c
+index 617ae295..3bc7da61 100644
+--- a/orc/orccompiler.c
++++ b/orc/orccompiler.c
+@@ -1490,7 +1490,8 @@ orc_compiler_error_valist (OrcCompiler *compiler, const char *fmt,
+   if (compiler->error_msg) return;
+ 
+ #ifdef HAVE_VASPRINTF
+-  vasprintf (&s, fmt, args);
++  if (vasprintf (&s, fmt, args) < 0)
++    ORC_ASSERT (0);
+ #elif defined(_UCRT)
+   s = malloc (ORC_COMPILER_ERROR_BUFFER_SIZE);
+   vsnprintf_s (s, ORC_COMPILER_ERROR_BUFFER_SIZE, _TRUNCATE, fmt, args);
+diff --git a/orc/orcparse.c b/orc/orcparse.c
+index abeb9f59..aa91395e 100644
+--- a/orc/orcparse.c
++++ b/orc/orcparse.c
+@@ -430,7 +430,8 @@ orc_parse_add_error_valist (OrcParser *parser, const char *format, va_list args)
+ 
+ #ifdef HAVE_VASPRINTF
+   char *text = NULL;
+-  vasprintf (&text, format, args);
++  if (vasprintf (&text, format, args) < 0)
++    ORC_ASSERT (0);
+ #elif defined(_UCRT)
+   char text[ORC_ERROR_LENGTH] = { '\0' };
+   vsnprintf_s (text, ORC_ERROR_LENGTH, _TRUNCATE, format, args);
+-- 
+GitLab
+
+
diff --git a/orc.changes b/orc.changes
index 11a1e42..ff14cd1 100644
--- a/orc.changes
+++ b/orc.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Jan 30 09:58:28 UTC 2025 - pgajdos@suse.com
+
+- follow up of CVE-2024-40897 fix [bsc#1228184]
+- added patches
+  fix https://gitlab.freedesktop.org/gstreamer/orc/-/commit/13ad22b4bc75feb71cefc6b9c0c9cb81ff8c73c4
+  + orc-check-return-value-of-vasprintf.patch
+
 -------------------------------------------------------------------
 Mon Jul 22 12:10:45 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 
diff --git a/orc.spec b/orc.spec
index db2b701..1380c2a 100644
--- a/orc.spec
+++ b/orc.spec
@@ -27,6 +27,8 @@ URL:            https://gitlab.freedesktop.org/gstreamer/orc
 Source:         https://gstreamer.freedesktop.org/src/orc/%{name}-%{version}.tar.xz
 Source99:       baselibs.conf
 Patch0:         0001-Use-vasprintf-if-available-for-error-messages-and.patch
+# https://gitlab.freedesktop.org/gstreamer/orc/-/commit/13ad22b4bc75feb71cefc6b9c0c9cb81ff8c73c4
+Patch1:         orc-check-return-value-of-vasprintf.patch
 BuildRequires:  gtk-doc >= 1.12
 BuildRequires:  meson >= 0.47.0
 BuildRequires:  pkgconfig