diff --git a/htmldoc-CVE-2021-40985.patch b/htmldoc-CVE-2021-40985.patch
new file mode 100644
index 0000000..f5ef0c4
--- /dev/null
+++ b/htmldoc-CVE-2021-40985.patch
@@ -0,0 +1,33 @@
+diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
+index 337c0cc5..d44d1ba3 100644
+--- a/htmldoc/image.cxx
++++ b/htmldoc/image.cxx
+@@ -915,6 +915,9 @@ image_load_bmp(image_t *img,	/* I - Image to load into */
+   colors_used      = (int)read_dword(fp);
+   read_dword(fp);
+ 
++  if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192)
++    return (-1);
++
+   if (info_size > 40)
+     for (info_size -= 40; info_size > 0; info_size --)
+       getc(fp);
+@@ -926,7 +929,7 @@ image_load_bmp(image_t *img,	/* I - Image to load into */
+   fread(colormap, (size_t)colors_used, 4, fp);
+ 
+   // Setup image and buffers...
+-  img->depth  = gray ? 1 : 3;
++  img->depth = gray ? 1 : 3;
+ 
+   // If this image is indexed and we are writing an encrypted PDF file, bump the use count so
+   // we create an image object (Acrobat 6 bug workaround)
+@@ -1076,7 +1079,7 @@ image_load_bmp(image_t *img,	/* I - Image to load into */
+             if (bit == 0xf0)
+ 	    {
+               if (color < 0)
+-		temp = getc(fp);
++		temp = getc(fp) & 255;
+ 	      else
+ 		temp = color;
+ 
+
diff --git a/htmldoc.changes b/htmldoc.changes
index 4e4065f..ec24a39 100644
--- a/htmldoc.changes
+++ b/htmldoc.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Nov  5 08:29:27 UTC 2021 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2021-40985 [bsc#1192357], buffer overflow may lead to DoS via a crafted BMP image
+  + htmldoc-CVE-2021-40985.patch
+
 -------------------------------------------------------------------
 Tue Jun  1 01:37:51 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>
 
diff --git a/htmldoc.spec b/htmldoc.spec
index 43d1e61..ebd89ec 100644
--- a/htmldoc.spec
+++ b/htmldoc.spec
@@ -24,6 +24,8 @@ License:        LGPL-2.1-or-later
 Group:          Productivity/Publishing/HTML/Tools
 URL:            https://michaelrsweet.github.io/htmldoc/index.html
 Source:         https://github.com/michaelrsweet/htmldoc/releases/download/v%{version}/htmldoc-%{version}-source.tar.gz
+# CVE-2021-40985 [bsc#1192357], buffer overflow may lead to DoS via a crafted BMP image
+Patch0:         htmldoc-CVE-2021-40985.patch
 BuildRequires:  fltk-devel
 BuildRequires:  gcc-c++
 BuildRequires:  hicolor-icon-theme
@@ -41,6 +43,7 @@ Portable Document Format (PDF) files that can be viewed online or printed.
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 %configure \