diff --git a/fluid/adversarial/advbox/adversary.py b/fluid/adversarial/advbox/adversary.py
index ae0fd127e9c4e6f2548194c1b1a580c1378c967e..0f8563321af646524144cf8d5c75f6cb3fe17db9 100644
--- a/fluid/adversarial/advbox/adversary.py
+++ b/fluid/adversarial/advbox/adversary.py
@@ -90,7 +90,8 @@ class Adversary(object):
         assert adversarial_example.shape == self.__original.shape
         ok = self._is_successful(adversarial_label)
         if ok:
-            self.__adversarial_example = adversarial_example
+            self.__adversarial_example = adversarial_example.reshape(
+                self.__original.shape)
             self.__adversarial_label = adversarial_label
         return ok
 
diff --git a/fluid/adversarial/advbox/attacks/gradientsign.py b/fluid/adversarial/advbox/attacks/gradientsign.py
index 6c56b0d5466f93d6ad9eef713350634004acc9f9..eccece6b9c528dc55d00a8703171667b284d9381 100644
--- a/fluid/adversarial/advbox/attacks/gradientsign.py
+++ b/fluid/adversarial/advbox/attacks/gradientsign.py
@@ -44,8 +44,10 @@ class GradientSignAttack(Attack):
             gradient = self.model.gradient([(adversary.original,
                                              adversary.original_label)])
             gradient_sign = np.sign(gradient) * (max_ - min_)
+
+        adv_img = adversary.original.reshape(gradient_sign.shape)
         for epsilon in epsilons:
-            adv_img = adversary.original + epsilon * gradient_sign
+            adv_img = adv_img + epsilon * gradient_sign
             adv_img = np.clip(adv_img, min_, max_)
             adv_label = np.argmax(self.model.predict([(adv_img, 0)]))
             logging.info('epsilon = {:.3f}, pre_label = {}, adv_label={}'.
diff --git a/fluid/adversarial/advbox/attacks/iterator_gradientsign.py b/fluid/adversarial/advbox/attacks/iterator_gradientsign.py
index 14f97c60033bcb4eeabcba8a1d5a5ff8bae3b9b7..c0ff2362e935a4501afce38e5c19c4b04c4be768 100644
--- a/fluid/adversarial/advbox/attacks/iterator_gradientsign.py
+++ b/fluid/adversarial/advbox/attacks/iterator_gradientsign.py
@@ -35,7 +35,7 @@ class IteratorGradientSignAttack(Attack):
         min_, max_ = self.model.bounds()
 
         for epsilon in epsilons:
-            adv_img = adversary.original
+            adv_img = None
             for _ in range(steps):
                 if adversary.is_targeted_attack:
                     gradient = self.model.gradient([(adversary.original,
@@ -45,6 +45,8 @@ class IteratorGradientSignAttack(Attack):
                     gradient = self.model.gradient([(adversary.original,
                                                      adversary.original_label)])
                     gradient_sign = np.sign(gradient) * (max_ - min_)
+                if adv_img is None:
+                    adv_img = adversary.original.reshape(gradient_sign.shape)
                 adv_img = adv_img + gradient_sign * epsilon
                 adv_img = np.clip(adv_img, min_, max_)
                 adv_label = np.argmax(self.model.predict([(adv_img, 0)]))