diff --git a/0056-release-branch.go1.16-archive-zip-prevent-preallocat.patch b/0056-release-branch.go1.16-archive-zip-prevent-preallocat.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b8e83dd34fc41507470ba5a2aadec32f1298d011
--- /dev/null
+++ b/0056-release-branch.go1.16-archive-zip-prevent-preallocat.patch
@@ -0,0 +1,73 @@
+From 6c480017ae600b2c90a264a922e041df04dfa785 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 18 Aug 2021 11:49:29 -0700
+Subject: [PATCH] [release-branch.go1.16] archive/zip: prevent preallocation check from overflowing
+
+If the indicated directory size in the archive header is so large that
+subtracting it from the archive size overflows a uint64, the check that
+the indicated number of files in the archive can be effectively
+bypassed. Prevent this from happening by checking that the indicated
+directory size is less than the size of the archive.
+
+Thanks to the OSS-Fuzz project for discovering this issue and to
+Emmanuel Odeke for reporting it.
+
+Fixes #47985
+Updates #47801
+Fixes CVE-2021-39293
+
+Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24
+Reviewed-on: https://go-review.googlesource.com/c/go/+/343434
+Trust: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Russ Cox <rsc@golang.org>
+(cherry picked from commit bacbc33439b124ffd7392c91a5f5d96eca8c0c0b)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/345409
+Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
+Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
+Trust: Cherry Mui <cherryyz@google.com>
+
+Reference:https://go-review.googlesource.com/c/go/+/345409
+Conflict:NA
+---
+
+diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
+index ddef2b7..801d131 100644
+--- a/src/archive/zip/reader.go
++++ b/src/archive/zip/reader.go
+@@ -105,7 +105,7 @@
+ 	// indicate it contains up to 1 << 128 - 1 files. Since each file has a
+ 	// header which will be _at least_ 30 bytes we can safely preallocate
+ 	// if (data size / 30) >= end.directoryRecords.
+-	if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
++	if end.directorySize < uint64(size) && (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
+ 		z.File = make([]*File, 0, end.directoryRecords)
+ 	}
+ 	z.Comment = end.comment
+diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
+index 471be27..99f1334 100644
+--- a/src/archive/zip/reader_test.go
++++ b/src/archive/zip/reader_test.go
+@@ -1225,3 +1225,21 @@
+ 		t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
+ 	}
+ }
++
++func TestCVE202139293(t *testing.T) {
++	// directory size is so large, that the check in Reader.init
++	// overflows when subtracting from the archive size, causing
++	// the pre-allocation check to be bypassed.
++	data := []byte{
++		0x50, 0x4b, 0x06, 0x06, 0x05, 0x06, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
++		0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
++		0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
++		0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
++		0x00, 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
++		0xff, 0x50, 0xfe, 0x00, 0xff, 0x00, 0x3a, 0x00, 0x00, 0x00, 0xff,
++	}
++	_, err := NewReader(bytes.NewReader(data), int64(len(data)))
++	if err != ErrFormat {
++		t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
++	}
++}
diff --git a/golang.spec b/golang.spec
index a93438474445883f6399aa6b0da7d3b1214921b1..0df4f0de5f942de95a40618e1fa184ef68988260 100644
--- a/golang.spec
+++ b/golang.spec
@@ -62,7 +62,7 @@
 
 Name:           golang
 Version:        1.15.7
-Release:        7
+Release:        8
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -201,6 +201,7 @@ Patch6052:       0052-release-branch.go1.16-misc-wasm-cmd-link-do-not-let-.patch
 Patch6053:       0053-net-http-httputil-close-incoming-ReverseProxy-reques.patch
 Patch6054:       0054-release-branch.go1.16-debug-macho-fail-on-invalid-dy.patch
 Patch6055:       0055-release-branch.go1.16-net-http-update-bundled-golang.patch
+Patch6056:       0056-release-branch.go1.16-archive-zip-prevent-preallocat.patch
 
 Patch9001:       0001-drop-hard-code-cert.patch
 
@@ -434,6 +435,9 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Tue Feb 8 2022 hanchao<hanchao47@huawei.com> - 1.15.7-8
+- fix CVE-2021-39293
+
 * Wed Jan 19 2022 hanchao<hanchao47@huawei.com> - 1.15.7-7
 - fix CVE-2021-44716