diff --git a/oniguruma-6.9.6-upstream-bug221.patch b/oniguruma-6.9.6-upstream-bug221.patch
new file mode 100644
index 0000000..7b4a487
--- /dev/null
+++ b/oniguruma-6.9.6-upstream-bug221.patch
@@ -0,0 +1,32 @@
+From 3603d78f0a3dc80e4d450509120c26a5ffcd293b Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kkosako0@gmail.com>
+Date: Tue, 20 Oct 2020 11:52:27 +0900
+Subject: [PATCH] #221: revert cbe9f8b and 8155473: Out-of-bounds write in #207
+ (Issues found with Coverity) is fake
+
+---
+ src/regcomp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/regcomp.c b/src/regcomp.c
+index 30b982bb..7aee715f 100644
+--- a/src/regcomp.c
++++ b/src/regcomp.c
+@@ -6238,7 +6238,7 @@ concat_opt_exact(OptStr* to, OptStr* add, OnigEncoding enc)
+   end = p + add->len;
+   for (i = to->len; p < end; ) {
+     len = enclen(enc, p);
+-    if (i + len >= OPT_EXACT_MAXLEN) {
++    if (i + len > OPT_EXACT_MAXLEN) {
+       r = 1; /* 1:full */
+       break;
+     }
+@@ -6264,7 +6264,7 @@ concat_opt_exact_str(OptStr* to, UChar* s, UChar* end, OnigEncoding enc)
+ 
+   for (i = to->len, p = s; p < end && i < OPT_EXACT_MAXLEN; ) {
+     len = enclen(enc, p);
+-    if (i + len >= OPT_EXACT_MAXLEN) break;
++    if (i + len > OPT_EXACT_MAXLEN) break;
+     for (j = 0; j < len && p < end; j++)
+       to->s[i++] = *p++;
+   }
diff --git a/oniguruma.spec b/oniguruma.spec
index 568fffc..bcb7835 100644
--- a/oniguruma.spec
+++ b/oniguruma.spec
@@ -4,7 +4,7 @@
 %global	betaver	rc3
 %define	prerelease	1
 
-%global	fedorarel	2
+%global	fedorarel	3
 
 Name:		oniguruma
 Version:	%{mainver}
@@ -14,6 +14,9 @@ Summary:	Regular expressions library
 License:	BSD
 URL:		https://github.com/kkos/oniguruma/
 Source0:	https://github.com/kkos/oniguruma/releases/download/v%{mainver}%{?betaver:_%betaver}/onig-%{mainver}%{?betaver:-%betaver}.tar.gz
+# https://github.com/kkos/oniguruma/issues/221
+# https://github.com/kkos/oniguruma/commit/3603d78f0a3dc80e4d450509120c26a5ffcd293b
+Patch0:	oniguruma-6.9.6-upstream-bug221.patch
 
 BuildRequires:	gcc
 
@@ -35,6 +38,7 @@ developing applications that use %{name}.
 
 %prep
 %setup -q -n onig-%{mainver}
+%patch0 -p1 -b .up221
 %{__sed} -i.multilib -e 's|-L@libdir@||' onig-config.in
 
 
@@ -100,6 +104,10 @@ find $RPM_BUILD_ROOT -name '*.la' \
 %{_libdir}/pkgconfig/%{name}.pc
 
 %changelog
+* Tue Oct 20 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> - 6.9.6-0.3.rc3
+- Apply upstream patch for upstream bug 221
+  - Revert change for false CVE-2020-26159 issue
+
 * Sat Oct 17 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> - 6.9.6-0.2.rc3
 - 6.9.2 rc3