diff --git a/CVE-2023-34872.patch b/CVE-2023-34872.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b9d087b2f984bb7269b298b4f0955ddc259ab0eb
--- /dev/null
+++ b/CVE-2023-34872.patch
@@ -0,0 +1,40 @@
+From bcb56632b86ce63b7e4c0c844399754f1daa3205 Mon Sep 17 00:00:00 2001
+From: ut004615 <haomimi@uniontech.com>
+Date: Tue, 1 Aug 2023 16:08:59 +0800
+Subject: [PATCH] Fix crash on malformed files
+
+---
+ poppler/Outline.cc | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/poppler/Outline.cc b/poppler/Outline.cc
+index 74c72d6..6f7a776 100644
+--- a/poppler/Outline.cc
++++ b/poppler/Outline.cc
+@@ -14,7 +14,7 @@
+ // under GPL version 2 or later
+ //
+ // Copyright (C) 2005 Marco Pesenti Gritti <mpg@redhat.com>
+-// Copyright (C) 2008, 2016-2019, 2021 Albert Astals Cid <aacid@kde.org>
++// Copyright (C) 2008, 2016-2019, 2021, 2023 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2009 Nick Jones <nick.jones@network-box.com>
+ // Copyright (C) 2016 Jason Crain <jason@aquaticape.us>
+ // Copyright (C) 2017 Adrian Johnson <ajohnson@redneon.com>
+@@ -483,8 +483,12 @@ void OutlineItem::open()
+ {
+     if (!kids) {
+         Object itemDict = xref->fetch(ref);
+-        const Object &firstRef = itemDict.dictLookupNF("First");
+-        kids = readItemList(this, &firstRef, xref, doc);
++        if (itemDict.isDict()) {
++            const Object &firstRef = itemDict.dictLookupNF("First");
++            kids = readItemList(this, &firstRef, xref, doc);
++        } else {
++            kids = new std::vector<OutlineItem *>();
++        }
+     }
+ }
+ 
+-- 
+2.27.0
+
diff --git a/poppler.spec b/poppler.spec
index 1965ecdb933b31f56559d05a4a1bdb6f19ad6286..81461cd6d045d3d566b2b20b53eb5e905ad49a08 100644
--- a/poppler.spec
+++ b/poppler.spec
@@ -4,7 +4,7 @@
 
 Name:    poppler
 Version: 22.01.0
-Release: 3
+Release: 4
 Summary: PDF rendering library
 License: GPLv2+ and LGPLv2+ and MIT
 URL:     http://poppler.freedesktop.org/
@@ -14,6 +14,7 @@ Source1: %{name}-test-%{test_date}-%{test_sha}.tar.xz
 Patch1:  poppler-0.90.0-position-independent-code.patch
 Patch3:  poppler-21.01.0-glib-introspection.patch
 Patch4:  CVE-2022-38784.patch
+Patch5:  CVE-2023-34872.patch
 
 patch6000:  backport-CVE-2022-27337.patch
 
@@ -251,6 +252,9 @@ test "$(pkg-config --modversion poppler-qt6)" = "%{version}"
 %{_mandir}/man1/*
 
 %changelog
+* Tue Aug 01 2023 haomimi <haomimi@uniontech.com> - 22.01.0-4
+- fix CVE-2023-34872
+
 * Tue Mar 14 2023 zhangpan <zhangpan103@h-partners.com> - 22.01.0-3
 - Type:CVE
 - CVE:CVE-2022-27337