diff --git a/debian/changelog b/debian/changelog
index 80bfd2c38ef7497d74cadfd08844e3940e487a44..8b1d3d5ee50900ef5a79e313aa40b61984a8023b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,9 +11,23 @@ ghostscript (9.50~dfsg-ok5) yangtze; urgency=medium
     - CVE-2020-16294
     - CVE-2020-16301
     - CVE-2020-16300
+    - CVE-2020-16309
+    - CVE-2020-16308
 
  -- jiangdingyuan <jiangdingyuan@kylinos.cn>  Wed, 02 Aug 2023 10:19:20 +0800
 
+ghostscript (9.50~dfsg-ok7) yangtze; urgency=medium
+
+  * repair CVE-2020-16308
+
+ -- dzdtang <tangyi@whu.edu.cn>  Sun, 14 Aug 2023 15:32:36 +0800
+
+ghostscript (9.50~dfsg-ok6) yangtze; urgency=medium
+
+  * repair CVE-2020-16309
+
+ -- dzdtang <tangyi@whu.edu.cn>  Sun, 14 Aug 2023 15:32:33 +0800
+
 ghostscript (9.50~dfsg-ok4) yangtze; urgency=medium
 
   * another-lin CVE-2020-16288 安全更新：修复缓冲区错误的漏洞。该漏洞源于网络系统或产品在内存上执行操作时，未正确验证数据边界，导致向关联的其他内存位置上执行了错误的读写操作。攻击者可利用该漏洞导致缓冲区溢出或堆溢出等.
diff --git a/devices/gdevlxm.c b/devices/gdevlxm.c
index f3135dcd9570c4508981443a1d4abb4f5c731253..6f39d2c4c10b9ac1a6d0986eeacd14f35490ba24 100644
--- a/devices/gdevlxm.c
+++ b/devices/gdevlxm.c
@@ -245,13 +245,22 @@ quit_ignomiously: /* and a goto into an if statement is pretty ignomious! */
         outp = swipeBuf;
 
         /* macro, not fcn call.  Space penalty is modest, speed helps */
-#define buffer_store(x) if(outp-swipeBuf>=swipeBuf_size) {\
-            gs_free(pdev->memory, (char *)swipeBuf, swipeBuf_size, 1, "lxm_print_page(swipeBuf)");\
-            swipeBuf_size*=2;\
-            swipeBuf = (byte *)gs_malloc(pdev->memory, swipeBuf_size, 1, "lxm_print_page(swipeBuf)");\
-            if (swipeBuf == 0) goto quit_ignomiously;\
-            break;}\
-        else *outp++ = (x)
+#define buffer_store(x)\
+        {\
+            if (outp-swipeBuf>=swipeBuf_size) {\
+                size_t  outp_offset = outp - swipeBuf;\
+                size_t  swipeBuf_size_new = swipeBuf_size * 2;\
+                byte*   swipeBuf_new = gs_malloc(pdev->memory, swipeBuf_size_new, 1, "lxm_print_page(swipeBuf_new)");\
+                if (!swipeBuf_new) goto quit_ignomiously;\
+                memcpy(swipeBuf_new, swipeBuf, swipeBuf_size);\
+                gs_free(pdev->memory, swipeBuf, swipeBuf_size, 1, "lxm_print_page(swipeBuf)");\
+                swipeBuf_size = swipeBuf_size_new;\
+                swipeBuf = swipeBuf_new;\
+                outp = swipeBuf + outp_offset;\
+            }\
+            *outp++ = (x);\
+        }
+ 
 
             {/* work out the bytes to store for this swipe*/