diff --git a/ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch b/ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch
new file mode 100644
index 0000000000000000000000000000000000000000..89246b431242fef14718aa493af6fe8e537795b8
--- /dev/null
+++ b/ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch
@@ -0,0 +1,52 @@
+From 310ed54bd9198f0d29a67f0536a9b6943a22b5cf Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 23 Feb 2021 15:20:03 +0800
+Subject: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
+
+Fix CVE-2020-29443
+
+During data transfer via packet command in 'ide_atapi_cmd_reply_end'
+'s->io_buffer_index' could exceed the 's->io_buffer' length, leading
+to OOB access issue. Add check to avoid it.
+ ...
+ #9  ahci_pio_transfer ../hw/ide/ahci.c:1383
+ #10 ide_transfer_start_norecurse ../hw/ide/core.c:553
+ #11 ide_atapi_cmd_reply_end ../hw/ide/atapi.c:284
+ #12 ide_atapi_cmd_read_pio ../hw/ide/atapi.c:329
+ #13 ide_atapi_cmd_read ../hw/ide/atapi.c:442
+ #14 cmd_read ../hw/ide/atapi.c:988
+ #15 ide_atapi_cmd ../hw/ide/atapi.c:1352
+ #16 ide_transfer_start ../hw/ide/core.c:561
+ #17 cmd_packet ../hw/ide/core.c:1729
+ #18 ide_exec_cmd ../hw/ide/core.c:2107
+ #19 handle_reg_h2d_fis ../hw/ide/ahci.c:1267
+ #20 handle_cmd ../hw/ide/ahci.c:1318
+ #21 check_cmd ../hw/ide/ahci.c:592
+ #22 ahci_port_write ../hw/ide/ahci.c:373
+ #23 ahci_mem_write ../hw/ide/ahci.c:513
+
+Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+
+Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
+---
+ hw/ide/atapi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
+index 1b0f66cc08..fc9dc87f03 100644
+--- a/hw/ide/atapi.c
++++ b/hw/ide/atapi.c
+@@ -300,6 +300,9 @@ void ide_atapi_cmd_reply_end(IDEState *s)
+         s->packet_transfer_size -= size;
+         s->elementary_transfer_size -= size;
+         s->io_buffer_index += size;
++	if (s->io_buffer_index > s->io_buffer_total_len) {
++            return;
++        }
+ 
+         /* Some adapters process PIO data right away.  In that case, we need
+          * to avoid mutual recursion between ide_transfer_start
+-- 
+2.27.0
+
diff --git a/qemu.spec b/qemu.spec
index 72ef121ca5e1a1fb83c53d3cf707962f581d8ab8..1180ac90c24b5b52c3b108647d7795d8aebc81fc 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 33
+Release: 34
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY
@@ -210,6 +210,7 @@ Patch0197: memory-clamp-cached-translation-in-case-it-points-to.patch
 Patch0198: ati-use-vga_read_byte-in-ati_cursor_define.patch
 Patch0199: sd-sdhci-assert-data_count-is-within-fifo_buffer.patch
 Patch0200: msix-add-valid.accepts-methods-to-check-address.patch
+Patch0201: ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -555,6 +556,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Fri Feb 26 2021 Huawei Technologies Co., Ltd <alex.chen@huawei.com>
+- ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
+
 * Fri Feb 19 2021 Huawei Technologies Co., Ltd <alex.chen@huawei.com>
 - ati: use vga_read_byte in ati_cursor_define
 - sd: sdhci: assert data_count is within fifo_buffer