From 2f53967a29e96aa50d8dd22a0a6b2c6f4b4e7177 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Mon, 1 Sep 2025 16:59:34 +0800
Subject: [PATCH] Fix CVE-2025-54080

---
 CVE-2025-54080.patch | 81 ++++++++++++++++++++++++++++++++++++++++++++
 exiv2.spec           |  6 +++-
 2 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-54080.patch

diff --git a/CVE-2025-54080.patch b/CVE-2025-54080.patch
new file mode 100644
index 0000000..fb0244f
--- /dev/null
+++ b/CVE-2025-54080.patch
@@ -0,0 +1,81 @@
+From f02c970ae56e6e377f7f79ba9e8edb5f2d23f48d Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Tue, 29 Jul 2025 18:58:46 +0100
+Subject: [PATCH] Better bounds checking to fix
+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-496f-x7cq-cq39
+
+Origin: https://github.com/Exiv2/exiv2/commit/f02c970ae56e6e377f7f79ba9e8edb5f2d23f48d
+
+---
+ src/epsimage.cpp | 35 +++++++++++------------------------
+ 1 file changed, 11 insertions(+), 24 deletions(-)
+
+diff --git a/src/epsimage.cpp b/src/epsimage.cpp
+index 79402e6..7343104 100644
+--- a/src/epsimage.cpp
++++ b/src/epsimage.cpp
+@@ -28,6 +28,7 @@
+ #include "config.h"
+ 
+ #include "epsimage.hpp"
++#include "enforce.hpp"
+ #include "image.hpp"
+ #include "basicio.hpp"
+ #include "error.hpp"
+@@ -268,18 +269,15 @@ namespace {
+         uint32_t posTiff = 0;
+         uint32_t sizeTiff = 0;
+ 
++        ErrorCode errcode = write ? ErrorCode::kerImageWriteFailed : ErrorCode::kerFailedToReadImageData;
++
+         // check for DOS EPS
+         const bool dosEps = (size >= dosEpsSignature.size() && memcmp(data, dosEpsSignature.data(), dosEpsSignature.size()) == 0);
+         if (dosEps) {
+             #ifdef DEBUG
+             EXV_DEBUG << "readWriteEpsMetadata: Found DOS EPS signature\n";
+             #endif
+-            if (size < 30) {
+-                #ifndef SUPPRESS_WARNINGS
+-                EXV_WARNING << "Premature end of file after DOS EPS signature.\n";
+-                #endif
+-                throw Error(write ? kerImageWriteFailed : kerFailedToReadImageData);
+-            }
++            enforce(size >= 30, errcode);
+             posEps    = getULong(data +  4, littleEndian);
+             posEndEps = getULong(data +  8, littleEndian) + posEps;
+             posWmf    = getULong(data + 12, littleEndian);
+@@ -309,24 +307,13 @@ namespace {
+                 #endif
+                 if (write) throw Error(kerImageWriteFailed);
+             }
+-            if (posEps < 30 || posEndEps > size) {
+-                #ifndef SUPPRESS_WARNINGS
+-                EXV_WARNING << "DOS EPS file has invalid position (" << posEps << ") or size (" << (posEndEps - posEps) << ") for EPS section.\n";
+-                #endif
+-                throw Error(write ? kerImageWriteFailed : kerFailedToReadImageData);
+-            }
+-            if (sizeWmf != 0 && (posWmf < 30 || posWmf + sizeWmf > size)) {
+-                #ifndef SUPPRESS_WARNINGS
+-                EXV_WARNING << "DOS EPS file has invalid position (" << posWmf << ") or size (" << sizeWmf << ") for WMF section.\n";
+-                #endif
+-                if (write) throw Error(kerImageWriteFailed);
+-            }
+-            if (sizeTiff != 0 && (posTiff < 30 || posTiff + sizeTiff > size)) {
+-                #ifndef SUPPRESS_WARNINGS
+-                EXV_WARNING << "DOS EPS file has invalid position (" << posTiff << ") or size (" << sizeTiff << ") for TIFF section.\n";
+-                #endif
+-                if (write) throw Error(kerImageWriteFailed);
+-            }
++            enforce(30 <= posEps, errcode);
++            enforce(sizeWmf == 0 || 30 <= posWmf, errcode);
++            enforce(sizeTiff == 0 || 30 <= posTiff, errcode);
++
++            enforce(posEps <= posEndEps && posEndEps <= size, errcode);
++            enforce(posWmf <= size && sizeWmf <= size - posWmf, errcode);
++            enforce(posTiff <= size && sizeTiff <= size - posTiff, errcode);
+         }
+ 
+         // check first line
+-- 
+2.51.0
+
diff --git a/exiv2.spec b/exiv2.spec
index 913883b..da37acc 100644
--- a/exiv2.spec
+++ b/exiv2.spec
@@ -1,12 +1,13 @@
 Name:    exiv2
 Version: 0.27.5
-Release: 3
+Release: 4
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
 Source0: https://github.com/Exiv2/exiv2/archive/refs/tags/v%{version}.tar.gz
 Patch0001:  CVE-2022-3755.patch
 Patch0002:  CVE-2022-3756.patch
+Patch0003:  CVE-2025-54080.patch
 
 Provides: exiv2-libs
 Obsoletes: exiv2-libs
@@ -78,6 +79,9 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_pkgdocdir}/
 
 %changelog
+* Mon Sep 01 2025 wangkai <13474090681@163.com> - 0.27.5-4
+- Fix CVE-2025-54080
+
 * Thu Nov 10 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 0.27.5-3
 - Fix CVE-2022-3755 CVE-2022-3756
 
-- 
Gitee