diff --git a/0008-CVE-2023-7104.patch b/0008-CVE-2023-7104.patch
new file mode 100644
index 0000000000000000000000000000000000000000..bded7fdbff8ddeed4a42241e24c42dd07bb837f0
--- /dev/null
+++ b/0008-CVE-2023-7104.patch
@@ -0,0 +1,45 @@
+it From a756d158b3e55831975feb45b753ba499d2adeda Mon Sep 17 00:00:00 2001
+From: mazhao <mazhao12@huawei.com>
+Date: Wed, 3 Jan 2024 12:00:45 +0800
+Subject: [PATCH] Fix a buffer overread in the sessions extension that could
+ occur when processing a corrupt changeset.
+
+Signed-off-by: mazhao <mazhao12@huawei.com>
+---
+ ext/session/sqlite3session.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
+index a892804..72ad427 100644
+--- a/ext/session/sqlite3session.c
++++ b/ext/session/sqlite3session.c
+@@ -3050,15 +3050,19 @@ static int sessionReadRecord(
+         }
+       }
+       if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
+-        sqlite3_int64 v = sessionGetI64(aVal);
+-        if( eType==SQLITE_INTEGER ){
+-          sqlite3VdbeMemSetInt64(apOut[i], v);
++        if( (pIn->nData-pIn->iNext)<8 ){
++          rc = SQLITE_CORRUPT_BKPT;
+         }else{
+-          double d;
+-          memcpy(&d, &v, 8);
+-          sqlite3VdbeMemSetDouble(apOut[i], d);
++          sqlite3_int64 v = sessionGetI64(aVal);
++          if( eType==SQLITE_INTEGER ){
++            sqlite3VdbeMemSetInt64(apOut[i], v);
++          }else{
++            double d;
++            memcpy(&d, &v, 8);
++            sqlite3VdbeMemSetDouble(apOut[i], d);
++          }
++          pIn->iNext += 8;
+         }
+-        pIn->iNext += 8;
+       }
+     }
+   }
+-- 
+2.34.1
+
diff --git a/sqlite.spec b/sqlite.spec
index b304d95c05ea89c8ce2895b67f1c4aa96a0110b5..1977afa20f6cda8fb41d7dc2b95d4ae844c46871 100644
--- a/sqlite.spec
+++ b/sqlite.spec
@@ -6,7 +6,7 @@
 
 Name:    sqlite
 Version: 3.37.2
-Release: 6
+Release: 7
 Summary: Embeded SQL database
 License: Public Domain
 URL:     http://www.sqlite.org/
@@ -22,6 +22,7 @@ Patch4: 0004-fix-memory-problem-in-the-rtree-test-suite.patch
 Patch5: 0005-fix-integer-overflow-on-gigabyte-string.patch
 Patch6: 0006-CVE-2022-46908.patch
 Patch7: 0007-CVE-2023-36191.patch
+Patch8: 0008-CVE-2023-7104.patch
 
 BuildRequires: gcc autoconf tcl tcl-devel
 BuildRequires: ncurses-devel readline-devel glibc-devel
@@ -71,6 +72,7 @@ This contains man files and HTML files for the using of sqlite.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 
 rm -f %{name}-doc-%{extver}/sqlite.css~ || :
 
@@ -145,6 +147,9 @@ make test
 %{_mandir}/man*/*
 
 %changelog
+* Wed Jan 3 2024 mazhao <mazhao12@huawei.com> - 3.37.2-7
+- fix the CVE-2023-7104
+
 * Mon Aug 7 2023 zhuwentao <zhuwentao5@huawei.com> - 3.37.2-6
 - fix the CVE-2023-36191