diff --git a/Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch b/Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d279fb827e4b1299195d47526f81cb9e630d6da8
--- /dev/null
+++ b/Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch
@@ -0,0 +1,50 @@
+From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001
+From: Ray Johnston <ray.johnston@artifex.com>
+Date: Wed, 22 Jul 2020 09:57:54 -0700
+Subject: [PATCH 410/532] Bug 702582, CVE 2020-15900 Memory Corruption in
+ Ghostscript 9.52
+
+Fix the 'rsearch' calculation for the 'post' size to give the correct
+size.  Previous calculation would result in a size that was too large,
+and could underflow to max uint32_t. Also fix 'rsearch' to return the
+correct 'pre' string with empty string match.
+
+A future change may 'undefine' this undocumented, non-standard operator
+during initialization as we do with the many other non-standard internal
+PostScript operators and procedures.
+---
+ psi/zstring.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/psi/zstring.c b/psi/zstring.c
+index 33662da..58e1af2 100644
+--- a/psi/zstring.c
++++ b/psi/zstring.c
+@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
+     return 0;
+ found:
+     op->tas.type_attrs = op1->tas.type_attrs;
+-    op->value.bytes = ptr;
+-    r_set_size(op, size);
++    op->value.bytes = ptr;				/* match */
++    op->tas.rsize = size;				/* match */
+     push(2);
+-    op[-1] = *op1;
+-    r_set_size(op - 1, ptr - op[-1].value.bytes);
+-    op1->value.bytes = ptr + size;
+-    r_set_size(op1, count + (!forward ? (size - 1) : 0));
++    op[-1] = *op1;					/* pre */
++    op[-3].value.bytes = ptr + size;			/* post */
++    if (forward) {
++        op[-1].tas.rsize = ptr - op[-1].value.bytes;	/* pre */
++        op[-3].tas.rsize = count;			/* post */
++    } else {
++        op[-1].tas.rsize = count;			/* pre */
++        op[-3].tas.rsize -= count + size;		/* post */
++    }
+     make_true(op);
+     return 0;
+ }
+-- 
+1.8.3.1
+
diff --git a/ghostscript.spec b/ghostscript.spec
index 00e4de06a819739fa6a318f6edbdb66a41dc2ba5..78c3eef3cc89f4e159d285c70a8bc81908f29d77 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -9,7 +9,7 @@
 
 Name:             ghostscript
 Version:          9.52
-Release:          2
+Release:          3
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@@ -40,6 +40,7 @@ Patch21: Bug-702335-jbig2dec-Refill-input-buffer-upon-failure-to-parse-segment-h
 Patch22: Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch
 Patch23: Bug-697545-Prevent-numerous-memory-leaks.patch
 Patch24: lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch
+Patch25: Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch
 
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@@ -200,6 +201,12 @@ make check
 %{_bindir}/dvipdf
 
 %changelog
+* Thu Sep 10 2020 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 9.52-3
+- Type:bugfix
+- ID:CVE-2020-15900
+- SUG:NA
+- DESC:fix CVE-2020-15900
+
 * Thu Sep 3 2020 wangchen <wangchen137@huawei.com> - 9.52-2
 - Type:bugfix
 - ID:NA