diff --git a/expat-CVE-2022-40674.patch b/expat-CVE-2022-40674.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1d769955ec3b2873ffe50c4efc2842f708ab7b11
--- /dev/null
+++ b/expat-CVE-2022-40674.patch
@@ -0,0 +1,25 @@
+diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c
+--- a/parser/expat/lib/xmlparse.c
++++ b/parser/expat/lib/xmlparse.c
+@@ -5652,12 +5652,18 @@
+   else
+ #endif /* XML_DTD */
+   {
+     processor = contentProcessor;
+     /* see externalEntityContentProcessor vs contentProcessor */
+-    return doContent(parser, parentParser ? 1 : 0, encoding, s, end,
+-                     nextPtr, (XML_Bool)!ps_finalBuffer);
++    result = doContent(parser, parser->m_parentParser ? 1 : 0,
++                       parser->m_encoding, s, end, nextPtr,
++                       (XML_Bool)! parser->m_parsingStatus.finalBuffer);
++    if (result == XML_ERROR_NONE) {
++      if (! storeRawNames(parser))
++        return XML_ERROR_NO_MEMORY;
++    }
++    return result;
+   }
+ }
+ 
+ static enum XML_Error PTRCALL
+ errorProcessor(XML_Parser parser,
+
diff --git a/firefox.spec b/firefox.spec
index 17318ecb60e11f0bfa92c290b8f0df8f008ffa1c..531027c561cb0f14c7bb3ea52ce7a1a693cfd7fa 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -88,7 +88,7 @@
 Summary:             Mozilla Firefox Web browser
 Name:                firefox
 Version:             79.0
-Release:             8
+Release:             9
 URL:                 https://www.mozilla.org/firefox/
 License:             MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:             https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@@ -190,6 +190,8 @@ Patch642:            expat-CVE-2022-25235.patch
 Patch643:            expat-CVE-2022-25236.patch
 # https://github.com/libexpat/libexpat/pull/559
 Patch644:            expat-CVE-2022-25315.patch
+# https://github.com/libexpat/libexpat/pull/629
+Patch645:            expat-CVE-2022-40674.patch
 %if %{?system_nss}
 BuildRequires:       pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
 BuildRequires:       nss-static >= %{nss_version}
@@ -368,6 +370,7 @@ tar -xf %{SOURCE3}
 %patch642 -p1
 %patch643 -p1
 %patch644 -p1
+%patch645 -p1
 %{__rm} -f .mozconfig
 %{__cp} %{SOURCE10} .mozconfig
 echo "ac_add_options --enable-default-toolkit=cairo-gtk3-wayland" >> .mozconfig
@@ -815,6 +818,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif
 
 %changelog
+* Thu Oct 20 2022 wangkai <wangkai385@h-partners.com> - 79.0-9
+- Fix for expat CVE-2022-40674
+
 * Thu Mar 17 2022 wangkai <wangkai385@huawei.com> - 79.0-8
 - Added expat backports of CVE-2022-25235, CVE-2022-25236 and CVE-2022-25315