From 83f7a5d485e2c17c03c6dfb45c4495749e5dc11f Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Mon, 1 Sep 2025 15:46:01 +0800
Subject: [PATCH] Fix CVE-2025-54080, CVE-2025-55304

(cherry picked from commit 1e3461f5de8422148defa660f9f7b88bec0189ea)
---
 CVE-2025-54080.patch |  77 ++++++++++++++++++++++++++++
 CVE-2025-55304.patch | 119 +++++++++++++++++++++++++++++++++++++++++++
 exiv2.spec           |   7 ++-
 3 files changed, 202 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-54080.patch
 create mode 100644 CVE-2025-55304.patch

diff --git a/CVE-2025-54080.patch b/CVE-2025-54080.patch
new file mode 100644
index 0000000..f828e8f
--- /dev/null
+++ b/CVE-2025-54080.patch
@@ -0,0 +1,77 @@
+From f02c970ae56e6e377f7f79ba9e8edb5f2d23f48d Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Tue, 29 Jul 2025 18:58:46 +0100
+Subject: [PATCH] Better bounds checking to fix
+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-496f-x7cq-cq39
+
+Origin: https://github.com/Exiv2/exiv2/commit/f02c970ae56e6e377f7f79ba9e8edb5f2d23f48d
+
+---
+ src/epsimage.cpp | 40 +++++++++++-----------------------------
+ 1 file changed, 11 insertions(+), 29 deletions(-)
+
+diff --git a/src/epsimage.cpp b/src/epsimage.cpp
+index 2e2241b69c..bb4aa3303a 100644
+--- a/src/epsimage.cpp
++++ b/src/epsimage.cpp
+@@ -241,6 +241,8 @@ void readWriteEpsMetadata(BasicIo& io, std::string& xmpPacket, NativePreviewList
+   uint32_t posTiff = 0;
+   uint32_t sizeTiff = 0;
+ 
++  ErrorCode errcode = write ? ErrorCode::kerImageWriteFailed : ErrorCode::kerFailedToReadImageData;
++
+   // check for DOS EPS
+   const bool dosEps =
+       (size >= dosEpsSignature.size() && memcmp(data, dosEpsSignature.data(), dosEpsSignature.size()) == 0);
+@@ -248,12 +250,8 @@ void readWriteEpsMetadata(BasicIo& io, std::string& xmpPacket, NativePreviewList
+ #ifdef DEBUG
+     EXV_DEBUG << "readWriteEpsMetadata: Found DOS EPS signature\n";
+ #endif
+-    if (size < 30) {
+-#ifndef SUPPRESS_WARNINGS
+-      EXV_WARNING << "Premature end of file after DOS EPS signature.\n";
+-#endif
+-      throw Error(write ? ErrorCode::kerImageWriteFailed : ErrorCode::kerFailedToReadImageData);
+-    }
++
++    enforce(size >= 30, errcode);
+     posEps = getULong(data + 4, littleEndian);
+     posEndEps = getULong(data + 8, littleEndian) + posEps;
+     posWmf = getULong(data + 12, littleEndian);
+@@ -285,29 +283,13 @@ void readWriteEpsMetadata(BasicIo& io, std::string& xmpPacket, NativePreviewList
+       if (write)
+         throw Error(ErrorCode::kerImageWriteFailed);
+     }
+-    if (posEps < 30 || posEndEps > size) {
+-#ifndef SUPPRESS_WARNINGS
+-      EXV_WARNING << "DOS EPS file has invalid position (" << posEps << ") or size (" << (posEndEps - posEps)
+-                  << ") for EPS section.\n";
+-#endif
+-      throw Error(write ? ErrorCode::kerImageWriteFailed : ErrorCode::kerFailedToReadImageData);
+-    }
+-    if (sizeWmf != 0 && (posWmf < 30 || posWmf + sizeWmf > size)) {
+-#ifndef SUPPRESS_WARNINGS
+-      EXV_WARNING << "DOS EPS file has invalid position (" << posWmf << ") or size (" << sizeWmf
+-                  << ") for WMF section.\n";
+-#endif
+-      if (write)
+-        throw Error(ErrorCode::kerImageWriteFailed);
+-    }
+-    if (sizeTiff != 0 && (posTiff < 30 || posTiff + sizeTiff > size)) {
+-#ifndef SUPPRESS_WARNINGS
+-      EXV_WARNING << "DOS EPS file has invalid position (" << posTiff << ") or size (" << sizeTiff
+-                  << ") for TIFF section.\n";
+-#endif
+-      if (write)
+-        throw Error(ErrorCode::kerImageWriteFailed);
+-    }
++    enforce(30 <= posEps, errcode);
++    enforce(sizeWmf == 0 || 30 <= posWmf, errcode);
++    enforce(sizeTiff == 0 || 30 <= posTiff, errcode);
++
++    enforce(posEps <= posEndEps && posEndEps <= size, errcode);
++    enforce(posWmf <= size && sizeWmf <= size - posWmf, errcode);
++    enforce(posTiff <= size && sizeTiff <= size - posTiff, errcode);
+   }
+ 
+   // check first line
diff --git a/CVE-2025-55304.patch b/CVE-2025-55304.patch
new file mode 100644
index 0000000..72ade41
--- /dev/null
+++ b/CVE-2025-55304.patch
@@ -0,0 +1,119 @@
+From e5bf22e0cebeabeb2ffd40678344467a271be12d Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Fri, 15 Aug 2025 12:08:49 +0100
+Subject: [PATCH 1/2] Add new method appendIccProfile to fix quadratic
+ performance issue.
+
+Orgin: https://github.com/Exiv2/exiv2/pull/3345
+
+---
+ include/exiv2/image.hpp | 10 ++++++++++
+ src/image.cpp           | 29 +++++++++++++++++++++--------
+ src/jpgimage.cpp        |  7 +------
+ 3 files changed, 32 insertions(+), 14 deletions(-)
+
+diff --git a/include/exiv2/image.hpp b/include/exiv2/image.hpp
+index 483af8a60e..3c80e8bca5 100644
+--- a/include/exiv2/image.hpp
++++ b/include/exiv2/image.hpp
+@@ -191,6 +191,16 @@ class EXIV2API Image {
+     @param bTestValid - tests that iccProfile contains credible data
+    */
+   virtual void setIccProfile(DataBuf&& iccProfile, bool bTestValid = true);
++  /*!
++    @brief Append more bytes to the iccProfile.
++    @param iccProfile DataBuf containing profile (binary)
++    @param bTestValid - tests that iccProfile contains credible data
++   */
++  virtual void appendIccProfile(const uint8_t* bytes, size_t size, bool bTestValid);
++  /*!
++    @brief Throw an exception if the size at the beginning of the iccProfile isn't correct.
++   */
++  virtual void checkIccProfile();
+   /*!
+     @brief Erase iccProfile. the profile is not removed from
+         the actual image until the writeMetadata() method is called.
+diff --git a/src/image.cpp b/src/image.cpp
+index 3f149e683c..df3f6fd311 100644
+--- a/src/image.cpp
++++ b/src/image.cpp
+@@ -625,16 +625,29 @@ void Image::setComment(const std::string& comment) {
+ }
+ 
+ void Image::setIccProfile(Exiv2::DataBuf&& iccProfile, bool bTestValid) {
++  iccProfile_ = std::move(iccProfile);
+   if (bTestValid) {
+-    if (iccProfile.size() < sizeof(long)) {
+-      throw Error(ErrorCode::kerInvalidIccProfile);
+-    }
+-    const size_t size = iccProfile.read_uint32(0, bigEndian);
+-    if (size != iccProfile.size()) {
+-      throw Error(ErrorCode::kerInvalidIccProfile);
+-    }
++    checkIccProfile();
++  }
++}
++
++void Image::appendIccProfile(const uint8_t* bytes, size_t size, bool bTestValid) {
++  const size_t start = iccProfile_.size();
++  iccProfile_.resize(Safe::add(start, size));
++  memcpy(iccProfile_.data(start), bytes, size);
++  if (bTestValid) {
++    checkIccProfile();
++  }
++}
++
++void Image::checkIccProfile() {
++  if (iccProfile_.size() < sizeof(long)) {
++    throw Error(ErrorCode::kerInvalidIccProfile);
++  }
++  const size_t size = iccProfile_.read_uint32(0, bigEndian);
++  if (size != iccProfile_.size()) {
++    throw Error(ErrorCode::kerInvalidIccProfile);
+   }
+-  iccProfile_ = std::move(iccProfile);
+ }
+ 
+ void Image::clearIccProfile() {
+diff --git a/src/jpgimage.cpp b/src/jpgimage.cpp
+index 34187dc638..2c29135aeb 100644
+--- a/src/jpgimage.cpp
++++ b/src/jpgimage.cpp
+@@ -268,12 +268,7 @@ void JpegBase::readMetadata() {
+         icc_size = s;
+       }
+ 
+-      DataBuf profile(Safe::add(iccProfile_.size(), icc_size));
+-      if (!iccProfile_.empty()) {
+-        std::copy(iccProfile_.begin(), iccProfile_.end(), profile.begin());
+-      }
+-      std::copy_n(buf.c_data(2 + 14), icc_size, profile.data() + iccProfile_.size());
+-      setIccProfile(std::move(profile), chunk == chunks);
++      appendIccProfile(buf.c_data(2 + 14), icc_size, chunk == chunks);
+     } else if (pixelHeight_ == 0 && inRange2(marker, sof0_, sof3_, sof5_, sof15_)) {
+       // We hit a SOFn (start-of-frame) marker
+       if (size < 8) {
+
+From b7f153f0c0c2d61f97de9de474b57b1176214225 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Mon, 18 Aug 2025 21:02:38 +0100
+Subject: [PATCH 2/2] Fix docstring
+
+---
+ include/exiv2/image.hpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/exiv2/image.hpp b/include/exiv2/image.hpp
+index 3c80e8bca5..6de3f3eafd 100644
+--- a/include/exiv2/image.hpp
++++ b/include/exiv2/image.hpp
+@@ -193,7 +193,8 @@ class EXIV2API Image {
+   virtual void setIccProfile(DataBuf&& iccProfile, bool bTestValid = true);
+   /*!
+     @brief Append more bytes to the iccProfile.
+-    @param iccProfile DataBuf containing profile (binary)
++    @param bytes array of bytes to append
++    @param size number of bytes to append
+     @param bTestValid - tests that iccProfile contains credible data
+    */
+   virtual void appendIccProfile(const uint8_t* bytes, size_t size, bool bTestValid);
diff --git a/exiv2.spec b/exiv2.spec
index ad065af..c2af4e1 100644
--- a/exiv2.spec
+++ b/exiv2.spec
@@ -1,6 +1,6 @@
 Name:    exiv2
 Version: 0.28.2
-Release: 3
+Release: 4
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
@@ -8,6 +8,8 @@ Source0: https://github.com/Exiv2/exiv2/archive/v%{version}/%{name}-%{version}.t
 # https://github.com/Exiv2/exiv2/commit/3a28346db5ae1735a8728fe3491b0aecc1dbf387
 Patch3000: backport-CVE-2024-39695.patch
 Patch3001: CVE-2025-26623.patch
+Patch3002: CVE-2025-54080.patch
+Patch3003: CVE-2025-55304.patch
 
 Provides: exiv2-libs = %{version}-%{release} 
 Obsoletes: exiv2-libs < %{version}-%{release} 
@@ -77,6 +79,9 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_pkgdocdir}/
 
 %changelog
+* Mon Sep 01 2025 wangkai <13474090681@163.com> - 0.28.2-4
+- Fix CVE-2025-54080, CVE-2025-55304
+
 * Mon Feb 24 2025 wangkai <13474090681@163.com> - 0.28.2-3
 - Fix CVE-2025-26623
 
-- 
Gitee