diff --git a/SOURCES/0001-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch b/SOURCES/0001-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch
new file mode 100644
index 0000000..13a8605
--- /dev/null
+++ b/SOURCES/0001-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch
@@ -0,0 +1,75 @@
+From 61f4928dcc31b91aaf3bcbcf2898f8f09586a213 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Thu, 15 Apr 2021 15:50:13 +0100
+Subject: [PATCH] lib/handle.c: Bounds check for block exceeding page length
+ (CVE-2021-3504)
+
+Hives are encoded as fixed-sized pages containing smaller variable-
+length blocks:
+
+ +-------------------+-------------------+-------------------+--
+ | header |[ blk ][blk][ blk ]|[blk][blk][blk] |
+ +-------------------+-------------------+-------------------+--
+
+Blocks should not straddle a page boundary. However because blocks
+contain a 32 bit length field it is possible to construct an invalid
+hive where the last block in a page overlaps either the next page or
+the end of the file:
+
+ +-------------------+-------------------+
+ | header |[ blk ][blk][ blk ..... ]
+ +-------------------+-------------------+
+
+Hivex lacked a bounds check and would process the registry. Because
+the rest of the code assumes this situation can never happen it was
+possible to have a block containing some field (eg. a registry key
+name) which would extend beyond the end of the file. Hivex mmaps or
+mallocs the file, causing hivex to read memory beyond the end of the
+mapped region, resulting in reading other memory structures or a
+crash. (Writing beyond the end of the mapped region seems to be
+impossible because we always allocate a new page before writing.)
+
+This commit adds a check which rejects the malformed registry on
+hivex_open.
+
+Credit: Jeremy Galindo, Sr Security Engineer, Datto.com
+Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
+Fixes: CVE-2021-3504
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687
+---
+ lib/handle.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/lib/handle.c b/lib/handle.c
+index 88b1563f..2e4231a5 100644
+--- a/lib/handle.c
++++ b/lib/handle.c
+@@ -353,8 +353,8 @@ hivex_open (const char *filename, int flags)
+ #pragma GCC diagnostic pop
+ if (is_root || !h->unsafe) {
+ SET_ERRNO (ENOTSUP,
+- "%s, the block at 0x%zx has invalid size %" PRIu32
+- ", bad registry",
++ "%s, the block at 0x%zx size %" PRIu32
++ " <= 4 or not a multiple of 4, bad registry",
+ filename, blkoff, le32toh (block->seg_len));
+ goto error;
+ } else {
+@@ -365,6 +365,14 @@ hivex_open (const char *filename, int flags)
+ }
+ }
+
++ if (blkoff + seg_len > off + page_size) {
++ SET_ERRNO (ENOTSUP,
++ "%s, the block at 0x%zx size %" PRIu32
++ " extends beyond the current page, bad registry",
++ filename, blkoff, le32toh (block->seg_len));
++ goto error;
++ }
++
+ if (h->msglvl >= 2) {
+ unsigned char *id = (unsigned char *) block->id;
+ int id0 = id[0], id1 = id[1];
+--
+2.29.2
+
diff --git a/SPECS/hivex.spec b/SPECS/hivex.spec
index 7006060..abe5338 100644
--- a/SPECS/hivex.spec
+++ b/SPECS/hivex.spec
@@ -10,7 +10,7 @@
Name: hivex
Version: 1.3.18
-Release: 20%{?dist}
+Release: 21%{?dist}
Summary: Read and write Windows Registry binary hive files
License: LGPLv2
@@ -30,6 +30,9 @@ Source2: libguestfs.keyring
Patch0001: 0001-Win-Hivex-Regedit-Accept-CRLF-line-endings.patch
Patch0002: 0002-Win-Hivex-Regedit-Ignore-comments.patch
+# Bounds check for block exceeding page length (CVE-2021-3504).
+Patch0003: 0001-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch
+
BuildRequires: perl-interpreter
BuildRequires: perl-devel
BuildRequires: perl-generators
@@ -274,6 +277,10 @@ fi
%changelog
+* Sat Apr 17 2021 Richard W.M. Jones <rjones@redhat.com> - 1.3.18-21
+- Bounds check for block exceeding page length (CVE-2021-3504)
+ resolves: rhbz#1950501
+
* Mon Apr 27 2020 Danilo C. L. de Paula <ddepaula@redhat.com> - 1.3.18
- Resolves: bz#1810193
(Upgrade components in virt:rhel module:stream for RHEL-8.3 release)