diff --git a/download b/download
index 987a0f0e4aa1d9151d3bd6d80487fce044214bf3..a71c176b5d692b96e39094172736b746c37d5be2 100644
--- a/download
+++ b/download
@@ -1,2 +1,2 @@
-c373c0ea292e8a1d3e87a1153ee64199  php-7.4.30.tar.xz
-d831d247dd385217a04861291a314f73  php-7.4.30.tar.xz.asc
+f098632163cd47f2c1ffe2bdc6ef1ff2  php-7.4.33.tar.xz
+306dca821388f20fa55324960d82f427  php-7.4.33.tar.xz.asc
diff --git a/php-CVE-2022-31631.patch b/php-CVE-2022-31631.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3627c23cc5b95194773aca82a28aae2a04ba6651
--- /dev/null
+++ b/php-CVE-2022-31631.patch
@@ -0,0 +1,52 @@
+From 7cb160efe19d3dfb8b92629805733ea186b55050 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 31 Oct 2022 17:20:23 +0100
+Subject: [PATCH] Fix #81740: PDO::quote() may return unquoted string
+
+`sqlite3_snprintf()` expects its first parameter to be `int`; we need
+to avoid overflow.
+
+(cherry picked from commit 921b6813da3237a83e908998483f46ae3d8bacba)
+---
+ ext/pdo_sqlite/sqlite_driver.c     |  3 +++
+ ext/pdo_sqlite/tests/bug81740.phpt | 17 +++++++++++++++++
+ 2 files changed, 20 insertions(+)
+ create mode 100644 ext/pdo_sqlite/tests/bug81740.phpt
+
+diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c
+index 0595bd09fe..54f9d05e1e 100644
+--- a/ext/pdo_sqlite/sqlite_driver.c
++++ b/ext/pdo_sqlite/sqlite_driver.c
+@@ -233,6 +233,9 @@ static char *pdo_sqlite_last_insert_id(pdo_dbh_t *dbh, const char *name, size_t
+ /* NB: doesn't handle binary strings... use prepared stmts for that */
+ static int sqlite_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unquotedlen, char **quoted, size_t *quotedlen, enum pdo_param_type paramtype )
+ {
++	if (unquotedlen > (INT_MAX - 3) / 2) {
++		return 0;
++	}
+ 	*quoted = safe_emalloc(2, unquotedlen, 3);
+ 	sqlite3_snprintf(2*unquotedlen + 3, *quoted, "'%q'", unquoted);
+ 	*quotedlen = strlen(*quoted);
+diff --git a/ext/pdo_sqlite/tests/bug81740.phpt b/ext/pdo_sqlite/tests/bug81740.phpt
+new file mode 100644
+index 0000000000..99fb07c304
+--- /dev/null
++++ b/ext/pdo_sqlite/tests/bug81740.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #81740 (PDO::quote() may return unquoted string)
++--SKIPIF--
++<?php
++if (!extension_loaded('pdo_sqlite')) print 'skip not loaded';
++if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
++?>
++--INI--
++memory_limit=-1
++--FILE--
++<?php
++$pdo = new PDO("sqlite::memory:");
++$string = str_repeat("a", 0x80000000);
++var_dump($pdo->quote($string));
++?>
++--EXPECT--
++bool(false)
diff --git a/php.spec b/php.spec
index 4c519cc082871147b2e0d36475227b775cc228e8..5ea803d7fceae76d0df1bbd082615b7aeca76c9a 100644
--- a/php.spec
+++ b/php.spec
@@ -55,7 +55,7 @@
 %global with_tidy     0
 %endif
 
-%global upver        7.4.30
+%global upver        7.4.33
 #global rcver        RC1
 
 Summary: PHP scripting language for creating dynamic web sites
@@ -109,6 +109,7 @@ Patch47: php-5.6.3-phpinfo.patch
 # Upstream fixes (100+)
 
 # Security fixes (200+)
+Patch200: php-CVE-2022-31631.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -720,6 +721,7 @@ in pure PHP.
 # upstream patches
 
 # security patches
+%patch200 -p1 -b .cve31631
 
 # Fixes for tests
 %patch300 -p1 -b .datetests
@@ -1511,9 +1513,14 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 
 
 %changelog
-* Tue Jan 31 2023 Liwei Ge <liwei.glw@openanolis.org> - 7.4.30-1.0.1
+* Wed Jun 14 2023 Liwei Ge <liwei.glw@openanolis.org> - 7.4.33-1.0.1
 - Support loongarch64 platform
 
+* Fri Jan 13 2023 Remi Collet <rcollet@redhat.com> - 7.4.33-1
+- rebase to 7.4.33
+- fix: due to an integer overflow PDO::quote() may return unquoted string
+  CVE-2022-31631
+
 * Thu Jul  7 2022 Remi Collet <rcollet@redhat.com> - 7.4.30-1
 - rebase to 7.4.30 #2099615