diff --git a/1-bugfix-for-CVE-2025-3887.patch b/1-bugfix-for-CVE-2025-3887.patch
new file mode 100644
index 0000000000000000000000000000000000000000..dc9deff2e7a79c54c8192e25767bc269232cb194
--- /dev/null
+++ b/1-bugfix-for-CVE-2025-3887.patch
@@ -0,0 +1,98 @@
+diff -up a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c
+--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c	2025-01-06 20:48:08.000000000 +0100
++++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c	2025-05-22 10:53:03.155734020 +0200
+@@ -72,6 +72,8 @@
+ #include <string.h>
+ #include <math.h>
+ 
++#define MAX_DPB_SIZE 16
++
+ #ifndef GST_DISABLE_GST_DEBUG
+ #define GST_CAT_DEFAULT gst_h265_debug_category_get()
+ static GstDebugCategory *
+@@ -1897,7 +1899,7 @@ gst_h265_parse_vps (GstH265NalUnit * nal
+   for (i =
+       (vps->sub_layer_ordering_info_present_flag ? 0 :
+           vps->max_sub_layers_minus1); i <= vps->max_sub_layers_minus1; i++) {
+-    READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], G_MAXUINT32 - 1);
++    READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1);
+     READ_UE_MAX (&nr, vps->max_num_reorder_pics[i],
+         vps->max_dec_pic_buffering_minus1[i]);
+     READ_UE_MAX (&nr, vps->max_latency_increase_plus1[i], G_MAXUINT32 - 1);
+@@ -2084,7 +2086,7 @@ gst_h265_parse_sps (GstH265Parser * pars
+   for (i =
+       (sps->sub_layer_ordering_info_present_flag ? 0 :
+           sps->max_sub_layers_minus1); i <= sps->max_sub_layers_minus1; i++) {
+-    READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], 16);
++    READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1);
+     READ_UE_MAX (&nr, sps->max_num_reorder_pics[i],
+         sps->max_dec_pic_buffering_minus1[i]);
+     READ_UE_MAX (&nr, sps->max_latency_increase_plus1[i], G_MAXUINT32 - 1);
+@@ -2813,6 +2815,8 @@ gst_h265_parser_parse_slice_hdr (GstH265
+       READ_UINT8 (&nr, slice->colour_plane_id, 2);
+ 
+     if (!GST_H265_IS_NAL_TYPE_IDR (nalu->type)) {
++      const GstH265ShortTermRefPicSet *ref_pic_sets = NULL;
++
+       READ_UINT16 (&nr, slice->pic_order_cnt_lsb,
+           (sps->log2_max_pic_order_cnt_lsb_minus4 + 4));
+ 
+@@ -2829,24 +2833,56 @@ gst_h265_parser_parse_slice_hdr (GstH265
+         slice->short_term_ref_pic_set_size =
+             (nal_reader_get_pos (&nr) - pos) -
+             (8 * (nal_reader_get_epb_count (&nr) - epb_pos));
++
++        ref_pic_sets = &slice->short_term_ref_pic_sets;
+       } else if (sps->num_short_term_ref_pic_sets > 1) {
+         /*  7.4.7.1 short_term_ref_pic_set_idx */
+         const guint n = gst_util_ceil_log2 (sps->num_short_term_ref_pic_sets);
+         READ_UINT8 (&nr, slice->short_term_ref_pic_set_idx, n);
+         CHECK_ALLOWED_MAX (slice->short_term_ref_pic_set_idx,
+             sps->num_short_term_ref_pic_sets - 1);
++        ref_pic_sets =
++            &sps->short_term_ref_pic_set[slice->short_term_ref_pic_set_idx];
++      } else {
++        ref_pic_sets = &sps->short_term_ref_pic_set[0];
+       }
+ 
+       if (sps->long_term_ref_pics_present_flag) {
+         guint32 limit;
+         guint pos = nal_reader_get_pos (&nr);
+         guint epb_pos = nal_reader_get_epb_count (&nr);
++        gint max_num_long_term_pics = 0;
++        gint TwoVersionsOfCurrDecPicFlag = 0;
+ 
+-        if (sps->num_long_term_ref_pics_sps > 0)
++        if (sps->num_long_term_ref_pics_sps > 0) {
+           READ_UE_MAX (&nr, slice->num_long_term_sps,
+               sps->num_long_term_ref_pics_sps);
++        }
++
++        /* 7.4.3.3.3 */
++        if (pps->pps_scc_extension_flag &&
++            pps->pps_scc_extension_params.pps_curr_pic_ref_enabled_flag &&
++            (sps->sample_adaptive_offset_enabled_flag ||
++                !pps->deblocking_filter_disabled_flag ||
++                pps->deblocking_filter_override_enabled_flag)) {
++          TwoVersionsOfCurrDecPicFlag = 1;
++        }
++
++        /* Calculated upper bound num_long_term_pics can have. 7.4.7.1 */
++        max_num_long_term_pics =
++            /* sps_max_dec_pic_buffering_minus1[TemporalId], allowed max is
++             * MaxDpbSize - 1 */
++            MAX_DPB_SIZE - 1
++            - (gint) slice->num_long_term_sps
++            - (gint) ref_pic_sets->NumNegativePics
++            - (gint) ref_pic_sets->NumPositivePics -
++            TwoVersionsOfCurrDecPicFlag;
++        if (max_num_long_term_pics < 0) {
++          GST_WARNING ("Invalid stream, too many reference pictures");
++          goto error;
++        }
+ 
+-        READ_UE_MAX (&nr, slice->num_long_term_pics, 16);
++        READ_UE_MAX (&nr, slice->num_long_term_pics, max_num_long_term_pics);
+         limit = slice->num_long_term_sps + slice->num_long_term_pics;
+         for (i = 0; i < limit; i++) {
+           if (i < slice->num_long_term_sps) {
diff --git a/gstreamer1-plugins-bad-free.spec b/gstreamer1-plugins-bad-free.spec
index 5a0bb9da0845a58cca2aac27c79293a5aaa15a9e..f9be16ec14d06fd513d36bdf0a6651c2e180bb86 100644
--- a/gstreamer1-plugins-bad-free.spec
+++ b/gstreamer1-plugins-bad-free.spec
@@ -1,4 +1,4 @@
-%define         anolis_release  1
+%define         anolis_release  2
 %global         majorminor 1.0
 %global         _gobject_introspection  1.31.1
 %bcond_with extras
@@ -19,6 +19,7 @@ URL:            http://gstreamer.freedesktop.org/
 Source0:        gst-plugins-bad-free-%{version}.tar.xz
 Source1:        gst-p-bad-cleanup.sh
 
+Patch1: 1-bugfix-for-CVE-2025-3887.patch
 BuildRequires:  gcc-c++ meson >= 0.48.0
 BuildRequires:  check
 BuildRequires:  glslc
@@ -547,6 +548,9 @@ EOF
 %doc docs/*
 
 %changelog
+* Thu Jul 03 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 1.24.10-2
+- Fix CVE-2025-3887
+
 * Fri Mar 21 2025 Chang Gao <gc-taifu@linux.alibaba.com> - 1.24.10-1
 - Update to 1.24.10
 - Remove useless patches which upstream already exist