diff --git a/backport-CVE-2021-29470.patch b/backport-CVE-2021-29470.patch
new file mode 100644
index 0000000000000000000000000000000000000000..bd4b8b219bee803b64e4d58b5d2d31999ee0ae72
--- /dev/null
+++ b/backport-CVE-2021-29470.patch
@@ -0,0 +1,39 @@
+From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 21 Apr 2021 12:06:04 +0100
+Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header
+
+---
+ src/jp2image.cpp | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 917d115..0825d99 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -626,15 +626,18 @@ namespace Exiv2
+     void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf)
+     {
+         DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
+-        int     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+-        int      inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
++        long     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
++        long     inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
++	enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+         Jp2BoxHeader* pBox   = (Jp2BoxHeader*) boxBuf.pData_;
+-        int32_t       length = getLong((byte*)&pBox->length, bigEndian);
+-        int32_t       count  = sizeof (Jp2BoxHeader);
++        uint32_t       length = getLong((byte*)&pBox->length, bigEndian);
++	enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
++        uint32_t       count  = sizeof (Jp2BoxHeader);
+         char*         p      = (char*) boxBuf.pData_;
+         bool          bWroteColor = false ;
+ 
+         while ( count < length || !bWroteColor ) {
++	    enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
+             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
+ 
+             // copy data.  pointer could be into a memory mapped file which we will decode!
+-- 
+2.23.0
+
diff --git a/backport-CVE-2021-3482.patch b/backport-CVE-2021-3482.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1117ed6406e4943a91e5f50dbcbb83072e200700
--- /dev/null
+++ b/backport-CVE-2021-3482.patch
@@ -0,0 +1,57 @@
+From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001
+From: Robin Mills <robin@clanmills.com>
+Date: Mon, 5 Apr 2021 20:33:25 +0100
+Subject: [PATCH] fix_1522_jp2image_exif_asan
+
+---
+ src/jp2image.cpp | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index a81e68f..8e36276 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -38,6 +38,7 @@ EXIV2_RCSID("@(#) $Id$")
+ #include "image.hpp"
+ #include "image_int.hpp"
+ #include "basicio.hpp"
++#include "enforce.hpp"
+ #include "error.hpp"
+ #include "futils.hpp"
+ #include "types.hpp"
+@@ -345,7 +346,7 @@ namespace Exiv2
+                             if (io_->error()) throw Error(14);
+                             if (bufRead != rawData.size_) throw Error(20);
+ 
+-                            if (rawData.size_ > 0)
++                            if (rawData.size_ > 8) // "II*\0long"
+                             {
+                                 // Find the position of Exif header in bytes array.
+                                 long pos = (     (rawData.pData_[0]      == rawData.pData_[1])
+@@ -484,6 +485,7 @@ namespace Exiv2
+                 position   = io_->tell();
+                 box.length = getLong((byte*)&box.length, bigEndian);
+                 box.type   = getLong((byte*)&box.type, bigEndian);
++                enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata);
+ 
+                 if ( bPrint ) {
+                     out << Internal::stringFormat("%8ld | %8ld | ",position-sizeof(box),box.length) << toAscii(box.type) << "      | " ;
+@@ -560,12 +562,13 @@ namespace Exiv2
+                             if (bufRead != rawData.size_) throw Error(20);
+ 
+                             if ( bPrint ){
+-                                out << Internal::binaryToString(rawData,40,0);
++                                out << Internal::binaryToString(
++                                        rawData, rawData.size_>40?40:rawData.size_, 0);
+                                 out.flush();
+                             }
+                             lf(out,bLF);
+ 
+-                            if(bIsExif && bRecursive && rawData.size_ > 0)
++                            if(bIsExif && bRecursive && rawData.size_ > 8) // "II*\0long"
+                             {
+                                 if ( (rawData.pData_[0]      == rawData.pData_[1])
+                                     &&   (rawData.pData_[0]=='I' || rawData.pData_[0]=='M' )
+-- 
+2.23.0
+
diff --git a/exiv2.spec b/exiv2.spec
index 3cf63c754a2414520554207b72b99680f82844d8..610b7d777ded6db7ca6733a69bca1de812ec52f6 100644
--- a/exiv2.spec
+++ b/exiv2.spec
@@ -1,6 +1,6 @@
 Name:    exiv2
 Version: 0.26
-Release: 23
+Release: 24
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
@@ -60,6 +60,8 @@ Patch6027: exiv2-CVE-2019-13111.patch
 Patch6028: CVE-2018-9145.patch
 Patch6029: backport-CVE-2021-29457.patch
 Patch6030: backport-CVE-2021-29458.patch
+Patch6031: backport-CVE-2021-3482.patch
+Patch6032: backport-CVE-2021-29470.patch
 
 Provides: exiv2-libs
 Obsoletes: exiv2-libs
@@ -123,6 +125,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_datadir}/doc/html/
 
 %changelog
+* Sat May 08 2021 wangkerong <wangkerong@huawei.com> - 0.26-24
+- Type:cves
+- ID:CVE-2021-29470 CVE-2021-3482
+- SUG:NA
+- DESC:fix CVE-2021-29470,CVE-2021-3482
+
 * Thu Apr 29 2021 wangkerong <wangkerong@huawei.com> - 0.26-23
 - Type:cves
 - ID:CVE-2021-29457 CVE-2021-29458