diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..4e6cc49506d16df9c51745add6cb9a55f4c2bafa
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+libheif-1.19.8.tar.gz
diff --git a/CVE-2025-68431-oc.patch b/CVE-2025-68431-oc.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7814a2b5302dd53a5f91c27d747e21d9d7fd4f19
--- /dev/null
+++ b/CVE-2025-68431-oc.patch
@@ -0,0 +1,13 @@
+diff --git a/libheif/pixelimage.cc b/libheif/pixelimage.cc
+index 04e81fe..8e33f1d 100644
+--- a/libheif/pixelimage.cc
++++ b/libheif/pixelimage.cc
+@@ -1322,7 +1322,7 @@ Error HeifPixelImage::overlay(std::shared_ptr<HeifPixelImage>& overlay, int32_t
+       if (!has_alpha) {
+         memcpy(out_p + out_x0 + (out_y0 + y - in_y0) * out_stride,
+                in_p + in_x0 + y * in_stride,
+-               in_w - in_x0);
++               in_w);
+       }
+       else {
+         for (uint32_t x = in_x0; x < in_w; x++) {
diff --git a/libheif.spec b/libheif.spec
index 8a261d5f0a83fc9cc38ce64d3674801e8e9b94c0..cbd64dc4521a322d0a02b2bc626ccc102ea32b32 100644
--- a/libheif.spec
+++ b/libheif.spec
@@ -4,11 +4,12 @@
 Summary:        HEIF and AVIF file format decoder and encoder
 Name:           libheif
 Version:        1.19.8
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        LGPL-3.0-or-later and MIT
 URL:            https://github.com/strukturag/libheif
 Source0:        %{url}/archive/v%{version}/libheif-%{version}.tar.gz
 Patch0001:      libheif-no-hevc-tests.patch
+Patch0002:      CVE-2025-68431-oc.patch
 
 BuildRequires:  cmake, gcc-c++, ninja-build
 #BuildRequires:  openjpeg-devel, noopenh264-devel/openh264-devel
@@ -121,6 +122,10 @@ rm -rf third-party/
 
 
 %changelog
+* Sun Jan 04 2026 ze-you-liu <zeyouliu@tencent.com> - 1.19.8-4
+- [Type] security
+- [DESC] Fix CVE-2025-68431 vulnerability
+
 * Tue Jul 08 2025 bbrucezhang <bbrucezhang@tencent.com> - 1.19.8-3
 - Rebuilt for loongarch64