diff --git a/CVE-2018-11797.patch b/CVE-2018-11797.patch
new file mode 100644
index 0000000..1f35571
--- /dev/null
+++ b/CVE-2018-11797.patch
@@ -0,0 +1,50 @@
+From 1c5220a55e0df63c122ad172debd86763512f09d Mon Sep 17 00:00:00 2001
+Subject: [PATCH] Fix CVE-2018-12123
+---
+ .../java/org/apache/pdfbox/pdfparser/COSParser.java  | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/COSParser.java b/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/COSParser.java
+index 524f2f5..751f4f1 100644
+--- a/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/COSParser.java
++++ b/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/COSParser.java
+@@ -2239,12 +2239,12 @@ public class COSParser extends BaseParser
+             COSBase pages = root.getDictionaryObject(COSName.PAGES);
+             if (pages instanceof COSDictionary)
+             {
+-                checkPagesDictionary((COSDictionary) pages);
++                checkPagesDictionary((COSDictionary) pages, new HashSet<COSObject>());
+             }
+         }
+     }
+ 
+-    private int checkPagesDictionary(COSDictionary pagesDict)
++    private int checkPagesDictionary(COSDictionary pagesDict, Set<COSObject> set)
+     {
+         // check for kids
+         COSBase kids = pagesDict.getDictionaryObject(COSName.KIDS);
+@@ -2256,6 +2256,11 @@ public class COSParser extends BaseParser
+             for (COSBase kid : kidsList)
+             {
+                 COSObject kidObject = (COSObject) kid;
++                if (set.contains(kidObject))
++                {
++                    kidsArray.remove(kid);
++                    continue;
++                }
+                 COSBase kidBaseobject = kidObject.getObject();
+                 // object wasn't dereferenced -> remove it
+                 if (kidBaseobject.equals(COSNull.NULL))
+@@ -2270,7 +2275,8 @@ public class COSParser extends BaseParser
+                     if (COSName.PAGES.equals(type))
+                     {
+                         // process nested pages dictionaries
+-                        numberOfPages += checkPagesDictionary(kidDictionary);
++                        set.add(kidObject);
++                        numberOfPages += checkPagesDictionary(kidDictionary, set);
+                     }
+                     else if (COSName.PAGE.equals(type))
+                     {
+-- 
+2.23.0
+
diff --git a/CVE-2018-8036.patch b/CVE-2018-8036.patch
new file mode 100644
index 0000000..40af384
--- /dev/null
+++ b/CVE-2018-8036.patch
@@ -0,0 +1,41 @@
+From 96708d737a9eaa5f950ca9aead18bf93a728d754 Mon Sep 17 00:00:00 2001
+Subject: [PATCH] Fix CVE-2018-8036
+---
+ .../main/java/org/apache/fontbox/afm/AFMParser.java  | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java b/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java
+index 2ac3dbe..320df7b 100644
+--- a/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java
++++ b/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java
+@@ -951,9 +951,11 @@ public class AFMParser
+         buf.append( (char)nextByte );
+ 
+         //now read the data
+-        while( !isEOL(nextByte = input.read()) )
++        nextByte = input.read();
++        while (nextByte != -1 && !isEOL(nextByte))
+         {
+-            buf.append( (char)nextByte );
++            buf.append((char)nextByte);
++            nextByte = input.read();
+         }
+         return buf.toString();
+     }
+@@ -978,9 +980,11 @@ public class AFMParser
+         buf.append( (char)nextByte );
+ 
+         //now read the data
+-        while( !isWhitespace(nextByte = input.read()) )
++        nextByte = input.read();
++        while(nextByte != -1 && !isWhitespace(nextByte))
+         {
+-            buf.append( (char)nextByte );
++            buf.append((char)nextByte);
++            nextByte = input.read();
+         }
+         return buf.toString();
+     }
+-- 
+2.23.0
+
diff --git a/pdfbox.spec b/pdfbox.spec
index a2e841c..d0cfb37 100644
--- a/pdfbox.spec
+++ b/pdfbox.spec
@@ -1,16 +1,17 @@
 Name:          pdfbox
 Version:       2.0.9
-Release:       6
+Release:       7
 Summary:       A Java PDF Library
 License:       ASL 2.0
 URL:           http://pdfbox.apache.org/
 Source0:       http://archive.apache.org/dist/pdfbox/%{version}/pdfbox-%{version}-src.zip
-
-BuildRequires:  maven-local mvn(commons-io:commons-io)
-BuildRequires:  mvn(commons-logging:commons-logging) mvn(junit:junit)
-BuildRequires:  mvn(log4j:log4j:1.2.17) mvn(org.apache.ant:ant) mvn(org.apache:apache:pom:)
-BuildRequires:  mvn(org.apache.felix:maven-bundle-plugin) mvn(org.bouncycastle:bcmail-jdk15on)
-BuildRequires:  mvn(org.bouncycastle:bcprov-jdk15on) dejavu-sans-mono-fonts google-noto-emoji-fonts
+Patch6000:     CVE-2018-8036.patch
+Patch6001:     CVE-2018-11797.patch
+BuildRequires: maven-local mvn(commons-io:commons-io)
+BuildRequires: mvn(commons-logging:commons-logging) mvn(junit:junit)
+BuildRequires: mvn(log4j:log4j:1.2.17) mvn(org.apache.ant:ant) mvn(org.apache:apache:pom:)
+BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) mvn(org.bouncycastle:bcmail-jdk15on)
+BuildRequires: mvn(org.bouncycastle:bcprov-jdk15on) dejavu-sans-mono-fonts google-noto-emoji-fonts
 BuildRequires: liberation-sans-fonts icc-profiles-openicc fontconfig
 Requires:      liberation-sans-fonts
 
@@ -77,7 +78,7 @@ XMP(TM) specification.  It can be used to parse, validate and create xmp
 contents.  It is mainly used by subproject preflight of Apache PDFBox.
 
 %prep
-%setup -q
+%autosetup -p1
 
 
 %pom_disable_module preflight-app
@@ -149,5 +150,8 @@ sed -i -e 's/TestTextStripper/BidiTest/' pdfbox/src/test/java/org/apache/pdfbox/
 %license LICENSE.txt NOTICE.txt
 
 %changelog
+* Sat Sep 19 2020 zhanghua <zhanghua40@huawei.com> - 2.0.9-7
+- Fix CVE-2018-8036, CVE-2018-11797
+
 * Fri Feb 28 2020 Senlin Xia <xiasenlin1@huawei.com> - 2.0.9-6
 - package init