diff --git a/SOURCES/flac-cve-2020-22219.patch b/SOURCES/flac-cve-2020-22219.patch
new file mode 100644
index 0000000..a896d9e
--- /dev/null
+++ b/SOURCES/flac-cve-2020-22219.patch
@@ -0,0 +1,177 @@
+Backported to 1.3.2
+
+commit 21fe95ee828b0b9b944f6aa0bb02d24fbb981815
+Author: Martijn van Beurden <mvanb1@gmail.com>
+Date:   Wed Aug 3 13:52:19 2022 +0200
+
+    Add and use _nofree variants of safe_realloc functions
+    
+    Parts of the code use realloc like
+    
+    x = safe_realloc(x, somesize);
+    
+    when this is the case, the safe_realloc variant used must free the
+    old memory block in case it fails, otherwise it will leak. However,
+    there are also instances in the code where handling is different:
+    
+    if (0 == (x = safe_realloc(y, somesize)))
+        return false
+    
+    in this case, y should not be freed, as y is not set to NULL we
+    could encounter double frees. Here the safe_realloc_nofree
+    functions are used.
+
+diff -up flac-1.3.2/include/share/alloc.h.cve-2020-22219 flac-1.3.2/include/share/alloc.h
+--- flac-1.3.2/include/share/alloc.h.cve-2020-22219	2016-12-07 21:10:26.218454157 +0100
++++ flac-1.3.2/include/share/alloc.h	2023-08-31 11:32:36.335453612 +0200
+@@ -161,17 +161,30 @@ static inline void *safe_realloc_(void *
+ 		free(oldptr);
+ 	return newptr;
+ }
+-static inline void *safe_realloc_add_2op_(void *ptr, size_t size1, size_t size2)
++static inline void *safe_realloc_nofree_add_2op_(void *ptr, size_t size1, size_t size2)
++{
++	size2 += size1;
++	if(size2 < size1)
++		return 0;
++	return realloc(ptr, size2);
++}
++
++static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
+ {
+ 	size2 += size1;
+ 	if(size2 < size1) {
+ 		free(ptr);
+ 		return 0;
+ 	}
+-	return realloc(ptr, size2);
++	size3 += size2;
++	if(size3 < size2) {
++		free(ptr);
++		return 0;
++	}
++	return safe_realloc_(ptr, size3);
+ }
+ 
+-static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
++static inline void *safe_realloc_nofree_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
+ {
+ 	size2 += size1;
+ 	if(size2 < size1)
+@@ -182,7 +195,7 @@ static inline void *safe_realloc_add_3op
+ 	return realloc(ptr, size3);
+ }
+ 
+-static inline void *safe_realloc_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4)
++static inline void *safe_realloc_nofree_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4)
+ {
+ 	size2 += size1;
+ 	if(size2 < size1)
+@@ -205,6 +218,15 @@ static inline void *safe_realloc_mul_2op
+ 	return safe_realloc_(ptr, size1*size2);
+ }
+ 
++static inline void *safe_realloc_nofree_mul_2op_(void *ptr, size_t size1, size_t size2)
++{
++	if(!size1 || !size2)
++		return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */
++	if(size1 > SIZE_MAX / size2)
++		return 0;
++	return realloc(ptr, size1*size2);
++}
++
+ /* size1 * (size2 + size3) */
+ static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3)
+ {
+@@ -216,4 +238,15 @@ static inline void *safe_realloc_muladd2
+ 	return safe_realloc_mul_2op_(ptr, size1, size2);
+ }
+ 
++/* size1 * (size2 + size3) */
++static inline void *safe_realloc_nofree_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3)
++{
++	if(!size1 || (!size2 && !size3))
++		return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */
++	size2 += size3;
++	if(size2 < size3)
++		return 0;
++	return safe_realloc_nofree_mul_2op_(ptr, size1, size2);
++}
++
+ #endif
+diff -up flac-1.3.2/src/flac/encode.c.cve-2020-22219 flac-1.3.2/src/flac/encode.c
+--- flac-1.3.2/src/flac/encode.c.cve-2020-22219	2016-12-07 21:10:26.218454157 +0100
++++ flac-1.3.2/src/flac/encode.c	2023-08-31 11:32:36.335453612 +0200
+@@ -1744,10 +1744,10 @@ static void static_metadata_clear(static
+ static FLAC__bool static_metadata_append(static_metadata_t *m, FLAC__StreamMetadata *d, FLAC__bool needs_delete)
+ {
+ 	void *x;
+-	if(0 == (x = safe_realloc_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/)))
++	if(0 == (x = safe_realloc_nofree_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/)))
+ 		return false;
+ 	m->metadata = (FLAC__StreamMetadata**)x;
+-	if(0 == (x = safe_realloc_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/)))
++	if(0 == (x = safe_realloc_nofree_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/)))
+ 		return false;
+ 	m->needs_delete = (FLAC__bool*)x;
+ 	m->metadata[m->num_metadata] = d;
+diff -up flac-1.3.2/src/flac/foreign_metadata.c.cve-2020-22219 flac-1.3.2/src/flac/foreign_metadata.c
+--- flac-1.3.2/src/flac/foreign_metadata.c.cve-2020-22219	2016-12-07 21:10:26.222454288 +0100
++++ flac-1.3.2/src/flac/foreign_metadata.c	2023-08-31 11:32:36.335453612 +0200
+@@ -75,7 +75,7 @@ static FLAC__bool copy_data_(FILE *fin,
+ 
+ static FLAC__bool append_block_(foreign_metadata_t *fm, FLAC__off_t offset, FLAC__uint32 size, const char **error)
+ {
+-	foreign_block_t *fb = safe_realloc_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/);
++	foreign_block_t *fb = safe_realloc_nofree_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/);
+ 	if(fb) {
+ 		fb[fm->num_blocks].offset = offset;
+ 		fb[fm->num_blocks].size = size;
+diff -up flac-1.3.2/src/libFLAC/bitwriter.c.cve-2020-22219 flac-1.3.2/src/libFLAC/bitwriter.c
+--- flac-1.3.2/src/libFLAC/bitwriter.c.cve-2020-22219	2016-12-07 21:10:26.222454288 +0100
++++ flac-1.3.2/src/libFLAC/bitwriter.c	2023-08-31 11:32:36.335453612 +0200
+@@ -124,7 +124,7 @@ FLAC__bool bitwriter_grow_(FLAC__BitWrit
+ 	FLAC__ASSERT(new_capacity > bw->capacity);
+ 	FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD));
+ 
+-	new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
++	new_buffer = safe_realloc_nofree_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
+ 	if(new_buffer == 0)
+ 		return false;
+ 	bw->buffer = new_buffer;
+diff -up flac-1.3.2/src/libFLAC/metadata_object.c.cve-2020-22219 flac-1.3.2/src/libFLAC/metadata_object.c
+--- flac-1.3.2/src/libFLAC/metadata_object.c.cve-2020-22219	2023-08-31 11:32:36.336453612 +0200
++++ flac-1.3.2/src/libFLAC/metadata_object.c	2023-08-31 11:34:18.844405405 +0200
+@@ -98,7 +98,7 @@ static FLAC__bool free_copy_bytes_(FLAC_
+ /* realloc() failure leaves entry unchanged */
+ static FLAC__bool ensure_null_terminated_(FLAC__byte **entry, unsigned length)
+ {
+-	FLAC__byte *x = safe_realloc_add_2op_(*entry, length, /*+*/1);
++	FLAC__byte *x = safe_realloc_nofree_add_2op_(*entry, length, /*+*/1);
+ 	if (x != NULL) {
+ 		x[length] = '\0';
+ 		*entry = x;
+diff -up flac-1.3.2/src/plugin_common/tags.c.cve-2020-22219 flac-1.3.2/src/plugin_common/tags.c
+--- flac-1.3.2/src/plugin_common/tags.c.cve-2020-22219	2016-12-07 21:10:26.234454678 +0100
++++ flac-1.3.2/src/plugin_common/tags.c	2023-08-31 11:32:36.336453612 +0200
+@@ -317,7 +317,7 @@ FLAC__bool FLAC_plugin__tags_add_tag_utf
+ 		const size_t value_len = strlen(value);
+ 		const size_t separator_len = strlen(separator);
+ 		FLAC__byte *new_entry;
+-		if(0 == (new_entry = safe_realloc_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1)))
++		if(0 == (new_entry = safe_realloc_nofree_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1)))
+ 			return false;
+ 		memcpy(new_entry+entry->length, separator, separator_len);
+ 		entry->length += separator_len;
+diff -up flac-1.3.2/src/share/utf8/iconvert.c.cve-2020-22219 flac-1.3.2/src/share/utf8/iconvert.c
+--- flac-1.3.2/src/share/utf8/iconvert.c.cve-2020-22219	2016-12-07 21:10:26.234454678 +0100
++++ flac-1.3.2/src/share/utf8/iconvert.c	2023-08-31 11:32:36.336453612 +0200
+@@ -149,7 +149,7 @@ int iconvert(const char *fromcode, const
+       iconv_close(cd1);
+       return ret;
+     }
+-    newbuf = safe_realloc_add_2op_(utfbuf, (ob - utfbuf), /*+*/1);
++    newbuf = safe_realloc_nofree_add_2op_(utfbuf, (ob - utfbuf), /*+*/1);
+     if (!newbuf)
+       goto fail;
+     ob = (ob - utfbuf) + newbuf;
diff --git a/SPECS/flac.spec b/SPECS/flac.spec
index aa1e755..baad2ea 100644
--- a/SPECS/flac.spec
+++ b/SPECS/flac.spec
@@ -1,7 +1,7 @@
 Summary: An encoder/decoder for the Free Lossless Audio Codec
 Name: flac
 Version: 1.3.2
-Release: 9%{?dist}
+Release: 9%{?dist}.1
 License: BSD and GPLv2+ and GFDL
 Group: Applications/Multimedia
 Source0: http://downloads.xiph.org/releases/flac/flac-%{version}.tar.xz
@@ -12,6 +12,8 @@ Patch1: flac-cflags.patch
 Patch2: flac-memleak.patch
 # disable nasm detection
 Patch3: flac-nonasm.patch
+# don't free memory that is still used after realloc() error
+Patch4: flac-cve-2020-22219.patch
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 BuildRequires: libogg-devel
 BuildRequires: gcc automake autoconf libtool gettext-devel doxygen
@@ -57,6 +59,7 @@ will use the Free Lossless Audio Codec.
 %patch1 -p1 -b .cflags
 %patch2 -p1 -b .memleak
 %patch3 -p1 -b .nonasm
+%patch4 -p1 -b .cve-2020-22219
 
 %build
 # use our libtool to avoid problems with RPATH
@@ -105,6 +108,9 @@ make -C test check FLAC__TEST_LEVEL=0 &> /dev/null
 %{_datadir}/aclocal/*.m4
 
 %changelog
+* Thu Aug 31 2023 Miroslav Lichvar <mlichvar@redhat.com> 1.3.2-9.el8_8.1
+- don't free memory that is still used after realloc() error (CVE-2020-22219)
+
 * Thu Sep 20 2018 Miroslav Lichvar <mlichvar@redhat.com> 1.3.2-9
 - disable nasm to avoid gaps in annobin coverage (#1630561)