diff --git a/backport-CVE-2019-13109.patch b/backport-CVE-2019-13109.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4e2fb34b70054cca5ca2e01d4727082b7cb971ef
--- /dev/null
+++ b/backport-CVE-2019-13109.patch
@@ -0,0 +1,36 @@
+From 1fc5ef40b15735e1b02ec752ec535c19831aafa6 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kev@semmle.com>
+Date: Thu, 25 Apr 2019 21:31:50 +0100
+Subject: [PATCH] Avoid negative integer overflow when `iccOffset >
+ chunkLength`.
+
+This fixes #790.
+
+(cherry picked from commit 6fa2e31206127bd8bcac0269311f3775a8d6ea21)
+---
+ src/pngimage.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/pngimage.cpp b/src/pngimage.cpp
+index 49c8336..435dd3b 100644
+--- a/src/pngimage.cpp
++++ b/src/pngimage.cpp
+@@ -40,6 +40,7 @@ EXIV2_RCSID("@(#) $Id$")
+ #include "image_int.hpp"
+ #include "basicio.hpp"
+ #include "error.hpp"
++#include "enforce.hpp"
+ #include "futils.hpp"
+ #include "types.hpp"
+ 
+@@ -480,6 +481,7 @@ namespace Exiv2 {
+                     }
+ 
+                     ++iccOffset; // +1 = 'compressed' flag
++                    enforce(iccOffset <= dataOffset, Exiv2::kerCorruptedMetadata);
+ 
+                     zlibToDataBuf(cdataBuf.pData_ +iccOffset,dataOffset-iccOffset,iccProfile_);
+ #ifdef DEBUG
+-- 
+1.8.3.1
+
diff --git a/backport-Fix-ICC-profile-in-PNG-images.patch b/backport-Fix-ICC-profile-in-PNG-images.patch
new file mode 100644
index 0000000000000000000000000000000000000000..adc919a0a3355bf448e548a4f2d0011d5fadec15
--- /dev/null
+++ b/backport-Fix-ICC-profile-in-PNG-images.patch
@@ -0,0 +1,47 @@
+From 466acf56a13a1afa88cefbb249b535088d077c20 Mon Sep 17 00:00:00 2001
+From: Luis Diaz Mas <piponazo@gmail.com>
+Date: Tue, 25 Dec 2018 16:54:26 +0100
+Subject: [PATCH] Fix ICC profile in PNG images
+
+(cherry picked from commit 9a38066b8eddf3948696a3362aac29e012ebe690)
+---
+ src/pngimage.cpp | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/pngimage.cpp b/src/pngimage.cpp
+index ed7399a..49c8336 100644
+--- a/src/pngimage.cpp
++++ b/src/pngimage.cpp
+@@ -468,7 +468,20 @@ namespace Exiv2 {
+                 }
+                 else if (!memcmp(cheaderBuf.pData_ + 4, "iCCP", 4))
+                 {
+-                    zlibToDataBuf(cdataBuf.pData_ +12+1,dataOffset-13,iccProfile_); // +1 = 'compressed' flag
++                    // The ICC profile name can vary from 1-79 characters.
++                    uint32_t iccOffset = 0;
++                    while (iccOffset < 80 && iccOffset < dataOffset) {
++
++                        const byte* profileName = cdataBuf.pData_ + iccOffset;
++                        ++iccOffset;
++
++                        if (*profileName == 0x00)
++                            break;
++                    }
++
++                    ++iccOffset; // +1 = 'compressed' flag
++
++                    zlibToDataBuf(cdataBuf.pData_ +iccOffset,dataOffset-iccOffset,iccProfile_);
+ #ifdef DEBUG
+                     std::cout << "Exiv2::PngImage::readMetadata: Found iCCP chunk length: " << dataOffset  << std::endl;
+                     std::cout << "Exiv2::PngImage::readMetadata: iccProfile.size_ : " << iccProfile_.size_ << std::endl;
+@@ -627,6 +640,7 @@ namespace Exiv2 {
+ 
+                         // calculate CRC
+                         uLong   tmp = crc32(0L, Z_NULL, 0);
++                        tmp         = crc32(tmp, (const Bytef*)type             ,typeLen);
+                         tmp         = crc32(tmp, (const Bytef*)header           ,headerLen);
+                         tmp         = crc32(tmp, (const Bytef*)compressed.pData_,compressed.size_);
+                         byte    crc[4];
+-- 
+1.8.3.1
+
diff --git a/exiv2 b/exiv2
new file mode 100644
index 0000000000000000000000000000000000000000..4e2fb34b70054cca5ca2e01d4727082b7cb971ef
--- /dev/null
+++ b/exiv2
@@ -0,0 +1,36 @@
+From 1fc5ef40b15735e1b02ec752ec535c19831aafa6 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kev@semmle.com>
+Date: Thu, 25 Apr 2019 21:31:50 +0100
+Subject: [PATCH] Avoid negative integer overflow when `iccOffset >
+ chunkLength`.
+
+This fixes #790.
+
+(cherry picked from commit 6fa2e31206127bd8bcac0269311f3775a8d6ea21)
+---
+ src/pngimage.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/pngimage.cpp b/src/pngimage.cpp
+index 49c8336..435dd3b 100644
+--- a/src/pngimage.cpp
++++ b/src/pngimage.cpp
+@@ -40,6 +40,7 @@ EXIV2_RCSID("@(#) $Id$")
+ #include "image_int.hpp"
+ #include "basicio.hpp"
+ #include "error.hpp"
++#include "enforce.hpp"
+ #include "futils.hpp"
+ #include "types.hpp"
+ 
+@@ -480,6 +481,7 @@ namespace Exiv2 {
+                     }
+ 
+                     ++iccOffset; // +1 = 'compressed' flag
++                    enforce(iccOffset <= dataOffset, Exiv2::kerCorruptedMetadata);
+ 
+                     zlibToDataBuf(cdataBuf.pData_ +iccOffset,dataOffset-iccOffset,iccProfile_);
+ #ifdef DEBUG
+-- 
+1.8.3.1
+
diff --git a/exiv2.spec b/exiv2.spec
index 2a5ea99862fa2cff65e6fe5b1722df652bade519..fafab38e2aa21116fa0ddbcb94461d5fc68a9b23 100644
--- a/exiv2.spec
+++ b/exiv2.spec
@@ -1,6 +1,6 @@
 Name:    exiv2
 Version: 0.26
-Release: 18
+Release: 19
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
@@ -54,6 +54,8 @@ Patch6021: CVE-2019-13110-Avoid-integer-overflow.patch
 Patch6022: CVE-2018-4868.patch
 Patch6023: backport-CVE-2018-10772.patch
 Patch6024: CVE-2018-11037.patch
+Patch6025: backport-Fix-ICC-profile-in-PNG-images.patch
+Patch6026: backport-CVE-2019-13109.patch
 
 Provides: exiv2-libs
 Obsoletes: exiv2-libs
@@ -117,6 +119,13 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_datadir}/doc/html/
 
 %changelog
+* Tue Apr 28 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.26-19
+- Type:cves
+- ID:CVE-2019-13109
+- SUG:NA
+- DESC:fix CVE-2019-13109
+       fix ICC profile in PNG images
+
 * Thu Apr 16 2020 chenzhen <chenzhen44@huawei.com> - 0.26-18
 - Type:cves
 - ID:CVE-2018-11037