diff --git a/pkgs/tools/graphics/zbar/0.23.92-CVE-2023-40889.patch b/pkgs/tools/graphics/zbar/0.23.92-CVE-2023-40889.patch
new file mode 100644
index 000000000000..7b7ca5a0befa
--- /dev/null
+++ b/pkgs/tools/graphics/zbar/0.23.92-CVE-2023-40889.patch
@@ -0,0 +1,17 @@
+Simple bounds checks for CVE-2023-40889, based on third-party
+fix by Remi Meier @
+https://github.com/Raemi/zbar/commit/5e8acc6974f17e56c3ddaa5509870beb8d7a599c
+
+--- a/zbar/qrcode/qrdec.c
++++ b/zbar/qrcode/qrdec.c
+@@ -3900,8 +3900,8 @@ void qr_reader_match_centers(qr_reader *_reader,qr_code_data_list *_qrlist,
+     /*TODO: We might be able to accelerate this step significantly by
+        considering the remaining finder centers in a more intelligent order,
+        based on the first finder center we just chose.*/
+-    for(j=i+1;!mark[i]&&j<_ncenters;j++){
+-      for(k=j+1;!mark[j]&&k<_ncenters;k++)if(!mark[k]){
++    for(j=i+1; i < _ncenters && !mark[i]&&j<_ncenters;j++){
++      for(k=j+1; j < _ncenters && !mark[j]&&k<_ncenters;k++)if(!mark[k]){
+         qr_finder_center *c[3];
+         qr_code_data      qrdata;
+         int               version;
diff --git a/pkgs/tools/graphics/zbar/0.23.92-CVE-2023-40890.patch b/pkgs/tools/graphics/zbar/0.23.92-CVE-2023-40890.patch
new file mode 100644
index 000000000000..3576df214ae1
--- /dev/null
+++ b/pkgs/tools/graphics/zbar/0.23.92-CVE-2023-40890.patch
@@ -0,0 +1,26 @@
+Simple bounds checks for CVE-2023-40890
+
+--- a/zbar/decoder/databar.c
++++ b/zbar/decoder/databar.c
+@@ -23,6 +23,8 @@
+ 
+ #include <config.h>
+ #include <zbar.h>
++#include <stdlib.h>
++#include <stdio.h>
+ 
+ #ifdef DEBUG_DATABAR
+ # define DEBUG_LEVEL (DEBUG_DATABAR)
+@@ -691,6 +693,12 @@ lookup_sequence (databar_segment_t *seg,
+             fixed = -1;
+         s <<= 1;
+         dbprintf(2, "%x", s);
++
++        if (i > 20) {
++            fprintf(stderr, "Bug: Out-of-bounds condition detected\n");
++            exit(99);
++        }
++
+         seq[i++] = s++;
+         seq[i++] = s;
+     }
diff --git a/pkgs/tools/graphics/zbar/default.nix b/pkgs/tools/graphics/zbar/default.nix
index f9b84d2656a3..5a1d7e94fdf6 100644
--- a/pkgs/tools/graphics/zbar/default.nix
+++ b/pkgs/tools/graphics/zbar/default.nix
@@ -1,6 +1,7 @@
 { stdenv
 , lib
 , fetchFromGitHub
+, fetchpatch
 , imagemagickBig
 , pkg-config
 , withXorg ? true
@@ -42,6 +43,11 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-VhVrngAX7pXZp+szqv95R6RGAJojp3svdbaRKigGb0w=";
   };
 
+  patches = [
+    ./0.23.92-CVE-2023-40889.patch
+    ./0.23.92-CVE-2023-40890.patch
+  ];
+
   nativeBuildInputs = [
     pkg-config
     xmlto