diff --git a/CVE-2020-35965.patch b/CVE-2020-35965.patch
new file mode 100644
index 0000000000000000000000000000000000000000..36fbaa40ef2d4c73efbf89ca36e64cd2dc025b73
--- /dev/null
+++ b/CVE-2020-35965.patch
@@ -0,0 +1,12 @@
+diff -Naru ffmpeg-4.2.4/libavcodec/exr.c ffmpeg-4.2.4-new/libavcodec/exr.c
+--- ffmpeg-4.2.4/libavcodec/exr.c	2022-06-13 09:59:12.123192000 +0800
++++ ffmpeg-4.2.4-new/libavcodec/exr.c	2022-06-13 11:03:38.706801000 +0800
+@@ -1791,7 +1791,7 @@
+     ptr         = picture->data[0];
+ 
+     // Zero out the start if ymin is not 0
+-    for (y = 0; y < s->ymin; y++) {
++    for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
+         memset(ptr, 0, out_line_size);
+         ptr += picture->linesize[0];
+     }
diff --git a/ffmpeg.spec b/ffmpeg.spec
index a9fbdcdc3c4fe652c4fec91f4ece75efd6e8a842..f1e0b2917a8c1d3a7c984d0e1d0f345fe01565e8 100644
--- a/ffmpeg.spec
+++ b/ffmpeg.spec
@@ -61,7 +61,7 @@ ExclusiveArch: armv7hnl
 Summary:        Digital VCR and streaming server
 Name:           ffmpeg%{?flavor}
 Version:        4.2.4
-Release:        4
+Release:        5
 License:        %{ffmpeg_license}
 URL:            http://ffmpeg.org/
 %if 0%{?date}
@@ -75,6 +75,7 @@ Patch2:         CVE-2021-3566.patch
 Patch3:         CVE-2021-38291.patch
 Patch4:         CVE-2021-38114.patch
 Patch5:         CVE-2020-35964.patch
+Patch6:         CVE-2020-35965.patch
 Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
 %{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel}
 %{?_with_libnpp:BuildRequires: pkgconfig(nppc-%{_cuda_version})}
@@ -407,6 +408,9 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir}
 
 
 %changelog
+* Mon Jun 13 2022 yanghuan <huan.yang@epro.com.cn> - 4.2.4-5
+- Fix CVE-2020-35965
+
 * Thu Jun 2 2022 yangweidong <yangweidong9@huawei.com> - 4.2.4-4
 - Fix CVE-2021-38114 and CVE-2020-35964