python3-pillow: patch CVE-2026-25990

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990 Backport the patch referenced by the NVD advisory. Note that the patch contain some new binary test data, which requires "git" PATCHTOOL - other tools fail to apply binary patches. All ptests passed successfully: Testsuite summary TOTAL: 5011 PASS: 4577 SKIP: 431 XFAIL: 3 FAIL: 0 XPASS: 0 ERROR: 0 DURATION: 59 END: /usr/lib/python3-pillow/ptest 2026-03-06T17:58 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-03-06 19:33:45 +0100
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-03-09 07:49:31 +0530
commit: 9fcdfa8b226e6c7f6ca6cdf1d7e1d196be971a9b (patch)
tree: a784214da48102556223051a948113ac46ee9774 /meta-python/recipes-devtools/python
parent: a892f6cfc9a5b354966790660118e1277f6f07f2 (diff)
download: meta-openembedded-9fcdfa8b226e6c7f6ca6cdf1d7e1d196be971a9b.tar.gz
2 files changed, 156 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch
new file mode 100644
index 0000000000..e2c12b7b24
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch
@@ -0,0 +1,151 @@
+From 829bd7b5c533e3a58d6f0a0ef4f001ea2605b784 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <3112309+radarhere@users.noreply.github.com>
+Date: Wed, 11 Feb 2026 10:24:50 +1100
+Subject: [PATCH] Fix OOB Write with invalid tile extents (#9427)
+Co-authored-by: Eric Soroos <eric-github@soroos.net>
+CVE: CVE-2026-25990
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ Tests/images/psd-oob-write-x.psd | Bin 0 -> 1126 bytes
+ Tests/images/psd-oob-write-y.psd | Bin 0 -> 1126 bytes
+ Tests/images/psd-oob-write.psd   | Bin 0 -> 37212 bytes
+ Tests/test_file_psd.py           |  17 +++++++++++++++++
+ Tests/test_imagefile.py          |   7 +++++++
+ src/decode.c                     |   3 ++-
+ src/encode.c                     |   3 ++-
+ 7 files changed, 28 insertions(+), 2 deletions(-)
+ create mode 100644 Tests/images/psd-oob-write-x.psd
+ create mode 100644 Tests/images/psd-oob-write-y.psd
+ create mode 100644 Tests/images/psd-oob-write.psd
+diff --git a/Tests/images/psd-oob-write-x.psd b/Tests/images/psd-oob-write-x.psd
+new file mode 100644
+index 0000000000000000000000000000000000000000..86359f4cb7e826a69a8e69a4b85947498ec18923
+GIT binary patch
+literal 1126
+zcma)5J!lkB5dL=WC-F>3z$=1SY;juU8Wp`VZp09|z;cO@XbSh|ZgXUJ@7TRX4pIuX
+z0SkW`qZT&S+FIBOg5VE`wTL!~HWJqFz0GA0$%PEez3<J;H#cu)wx%1)P>@QFhrkNP
+zAuvV#TGJPoazEr{TAAgkKpC9EmzOT6P~@#DuSJ<hm6j=CQFnxTwjbr^06*x3jRjp>
+zUAwN0ePiq~9H(A1?WlXnFzSMFu>5&1Gvi%V<T^NJq;=A1Mm8UyF=Ec{hCSk&#20S$
+zx&q%PF54TXL;Re0He`XsABEjY@ppk;iB&?B!<EK7-&Q8p+#zfYVS6L=8FQX76~_;l
+zUtLYHBk-2Mz8AALDPjf_&EVQH&kFSv7O;pV7|>uLMjIY_sPYVGiO`^5AHhE<`36}Q
+zS#8*4Tt){zOv#6s0b?jxZ==?^v(ltY=s@91lKeUijNJuxx0B@W<0RRA0^~jeuY!!<
+z*#T<5Y2VIll}EtTZQ#Z0%x2vKUfuy_K6TB|l>Z~PO>MP+pU;5FHQ>ZspmZbc8-2o$
+zryqb7_Nx8{c<>N7<1+X9h<A^Zu-~^sWA^&TIbWq-;U;II5Gs4$Lb}sM=`V`S4mzQq
+zq_OJ*N=Y~EO*ibs9I}Y<;-F3647CKEJ-4w57a=DQb9#=9>9@HB$WwFjZhIlIc)`9T
+z6kgJL@)8%N^RTLn0liQ+`%UH?s%V<N0_v=&k0$F$eOV>)+x7mhM3JvQ>aRNJ<v*Wo
+Br)B^E
+literal 0
+HcmV?d00001
+diff --git a/Tests/images/psd-oob-write-y.psd b/Tests/images/psd-oob-write-y.psd
+new file mode 100644
+index 0000000000000000000000000000000000000000..73498266a7d732ad70be649718229fa5f07997b7
+GIT binary patch
+literal 1126
+zcma)5O=uHQ5dL=a(;8b^Foz-@_7FWa7ZuI1ZpBhbVM!~r+JpO(Y(sZ9VK++&coe)A
+zJot05>cNX=y?XE}2!cN#o<;Pc=tau<y|;-Qq$v(e-uGtao6MV;t?9-p6r_^lA+Ul;
+z2ux8w*YxF;+&6idRpxmrP==@Q<)sTM6nU%4Yf<J=rDaA~)IFh|?ML|qzz=$1V@cQ6
+zH?C?EUl@A?N2%vcJL+CAjJjYPEWh5$%y?53xeksQYn^tQk<ABaj99R{VUPGa@wuH|
+zSKzzEWqZqXh@TSAhb)lzy|7y;{wlC5u}X+?xYk(Y+see6JA$ndY;T1=W6m<B;`jmc
+ztLrIt1im4#@5QW5ikQJvGq|$KvqC+AB`jkF1~gcR(T0Z}syqW)A~fjN$MBC!zCo5n
+zRvR`M7tw(aQ}Q8Zz!*x_+o*Nsv@|JGI#BqOBtK396Ssl=-6Z+_FiG|w0lAOBiy-57
+z_JG<?+IKTs<pD5r6L|JAvsrh5=eK~l4_z}f<^PCnQ(G<I`x9V#132~?C|yhYMxXHG
+z@jGCRy{f+g?%fAYxy-#e=G~Jd{O#MJF@yeb&X=i|xXGC)gv#JsNO!s@{YA0aK_~Q+
+zG<I`HDe0!Y?S`G0Ll!Y!9JJ}1qn4nv=Qg(CBIE>OPS24s{WiA%d1_AHZ7(DiFOZT@
+z1~9EBFYiTZJFF^Wz(S#J_M6N(Qqe4Z1=LwlA5GSi`m##ox9j~=340;B^S{69u$O-T
+DuU)5R
+literal 0
+HcmV?d00001
+diff --git a/Tests/images/psd-oob-write.psd b/Tests/images/psd-oob-write.psd
+new file mode 100644
+index 0000000000000000000000000000000000000000..65a4472cf263a94277952c06903709afb0c8213f
+GIT binary patch
+literal 37212
+zcmeI!I|{-;5CG8e2f;Js6jo_XXCVk)LDH$<2|S2L%6V+#=3`?OM1sW|nCvc@*<D_>
+zMR_>JEc#fa;nZao?R<!Q8IecK-|IB4yX<SKuD|O3S4FwoU#_=vGZZ&X^GNwj%T3Bv
+zzi(EzJ?WeF%<9jci0uU7lnIa>L4W`O0t5&U7$GptyKKZoln@|5fB*pk1ildPmiYor
+z3jqQI2oNCfHv$oNL4W`O0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
+z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
+t009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+0D&I~yZ}A8uQLDu
+literal 0
+HcmV?d00001
+diff --git a/Tests/test_file_psd.py b/Tests/test_file_psd.py
+index 38a88cd17..63db7b26a 100644
+--- a/Tests/test_file_psd.py
+++ b/Tests/test_file_psd.py
+@@ -184,3 +184,20 @@ def test_layer_crashes(test_file: str) -> None:
+             assert isinstance(im, PsdImagePlugin.PsdImageFile)
+             with pytest.raises(SyntaxError):
+                 im.layers
+
+
+@pytest.mark.parametrize(
+    "test_file",
+    [
+        "Tests/images/psd-oob-write.psd",
+        "Tests/images/psd-oob-write-x.psd",
+        "Tests/images/psd-oob-write-y.psd",
+    ],
+)
+def test_bounds_crash(test_file: str) -> None:
+    with Image.open(test_file) as im:
+        assert isinstance(im, PsdImagePlugin.PsdImageFile)
+        im.seek(im.n_frames)
+
+        with pytest.raises(ValueError):
+            im.load()
+diff --git a/Tests/test_imagefile.py b/Tests/test_imagefile.py
+index 7dfb3abf9..2ef9fe2b9 100644
+--- a/Tests/test_imagefile.py
+++ b/Tests/test_imagefile.py
+@@ -169,6 +169,13 @@ class TestImageFile:
+             with pytest.raises(ValueError, match="Tile offset cannot be negative"):
+                 im.load()
+ 
+    @pytest.mark.parametrize("xy", ((-1, 0), (0, -1)))
+    def test_negative_tile_extents(self, xy: tuple[int, int]) -> None:
+        im = Image.new("1", (1, 1))
+        fp = BytesIO()
+        with pytest.raises(SystemError, match="tile cannot extend outside image"):
+            ImageFile._save(im, fp, [ImageFile._Tile("raw", xy + (1, 1), 0, "1")])
+
+     def test_no_format(self) -> None:
+         buf = BytesIO(b"\x00" * 255)
+ 
+diff --git a/src/decode.c b/src/decode.c
+index 051623ed4..7ec461c0e 100644
+--- a/src/decode.c
+++ b/src/decode.c
+@@ -186,7 +186,8 @@ _setimage(ImagingDecoderObject *decoder, PyObject *args) {
+         state->ysize = y1 - y0;
+     }
+ 
+-    if (state->xsize <= 0 || state->xsize + state->xoff > (int)im->xsize ||
+    if (state->xoff < 0 || state->xsize <= 0 ||
+        state->xsize + state->xoff > (int)im->xsize || state->yoff < 0 ||
+         state->ysize <= 0 || state->ysize + state->yoff > (int)im->ysize) {
+         PyErr_SetString(PyExc_ValueError, "tile cannot extend outside image");
+         return NULL;
+diff --git a/src/encode.c b/src/encode.c
+index b1d0181e0..117bf2164 100644
+--- a/src/encode.c
+++ b/src/encode.c
+@@ -254,7 +254,8 @@ _setimage(ImagingEncoderObject *encoder, PyObject *args) {
+         state->ysize = y1 - y0;
+     }
+ 
+-    if (state->xsize <= 0 || state->xsize + state->xoff > im->xsize ||
+    if (state->xoff < 0 || state->xsize <= 0 ||
+        state->xsize + state->xoff > im->xsize || state->yoff < 0 ||
+         state->ysize <= 0 || state->ysize + state->yoff > im->ysize) {
+         PyErr_SetString(PyExc_SystemError, "tile cannot extend outside image");
+         return NULL;
diff --git a/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb b/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb
index 4db5db1572..34b462ca4f 100644
--- a/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb
+++ b/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a1b708da743e3fc0e5c35e92daac0bf8"
 SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https;tag=${PV} \
           file://0001-support-cross-compiling.patch \
+           file://CVE-2026-25990.patch \
           "
 SRCREV = "693df7b42c666f88c719f9973be0ad71607328e0"
@@ -65,3 +66,7 @@ CVE_PRODUCT = "pillow"
 RPROVIDES:${PN} += "python3-imaging"
 BBCLASSEXTEND = "native"
+# CVE-2026-25990.patch in SRC_URI contains a binary blob, which needs to
+# be applied with git
+PATCHTOOL = "git"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-03-06 19:33:45 +0100
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-03-09 07:49:31 +0530
commit	9fcdfa8b226e6c7f6ca6cdf1d7e1d196be971a9b (patch)
tree	a784214da48102556223051a948113ac46ee9774 /meta-python/recipes-devtools/python
parent	a892f6cfc9a5b354966790660118e1277f6f07f2 (diff)
download	meta-openembedded-9fcdfa8b226e6c7f6ca6cdf1d7e1d196be971a9b.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch new file mode 100644 index 0000000000..e2c12b7b24 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch
@@ -0,0 +1,151 @@
		1	From 829bd7b5c533e3a58d6f0a0ef4f001ea2605b784 Mon Sep 17 00:00:00 2001
		2	From: Andrew Murray <3112309+radarhere@users.noreply.github.com>
		3	Date: Wed, 11 Feb 2026 10:24:50 +1100
		4	Subject: [PATCH] Fix OOB Write with invalid tile extents (#9427)
		5
		6	Co-authored-by: Eric Soroos <eric-github@soroos.net>
		7
		8	CVE: CVE-2026-25990
		9	Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa]
		10	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		11	---
		12	Tests/images/psd-oob-write-x.psd \| Bin 0 -> 1126 bytes
		13	Tests/images/psd-oob-write-y.psd \| Bin 0 -> 1126 bytes
		14	Tests/images/psd-oob-write.psd \| Bin 0 -> 37212 bytes
		15	Tests/test_file_psd.py \| 17 +++++++++++++++++
		16	Tests/test_imagefile.py \| 7 +++++++
		17	src/decode.c \| 3 ++-
		18	src/encode.c \| 3 ++-
		19	7 files changed, 28 insertions(+), 2 deletions(-)
		20	create mode 100644 Tests/images/psd-oob-write-x.psd
		21	create mode 100644 Tests/images/psd-oob-write-y.psd
		22	create mode 100644 Tests/images/psd-oob-write.psd
		23
		24	diff --git a/Tests/images/psd-oob-write-x.psd b/Tests/images/psd-oob-write-x.psd
		25	new file mode 100644
		26	index 0000000000000000000000000000000000000000..86359f4cb7e826a69a8e69a4b85947498ec18923
		27	GIT binary patch
		28	literal 1126
		29	zcma)5J!lkB5dL=WC-F>3z$=1SY;juU8Wp`VZp09\|z;cO@XbSh\|ZgXUJ@7TRX4pIuX
		30	z0SkW`qZT&S+FIBOg5VE`wTL!~HWJqFz0GA0$%PEez3<J;H#cu)wx%1)P>@QFhrkNP
		31	zAuvV#TGJPoazEr{TAAgkKpC9EmzOT6P~@#DuSJ<hm6j=CQFnxTwjbr^06*x3jRjp>
		32	zUAwN0ePiq~9H(A1?WlXnFzSMFu>5&1Gvi%V<T^NJq;=A1Mm8UyF=Ec{hCSk&#20S$
		33	zx&q%PF54TXL;Re0He`XsABEjY@ppk;iB&?B!<EK7-&Q8p+#zfYVS6L=8FQX76~_;l
		34	zUtLYHBk-2Mz8AALDPjf_&EVQH&kFSv7O;pV7\|>uLMjIY_sPYVGiO`^5AHhE<`36}Q
		35	zS#8*4Tt){zOv#6s0b?jxZ==?^v(ltY=s@91lKeUijNJuxx0B@W<0RRA0^~jeuY!!<
		36	z*#T<5Y2VIll}EtTZQ#Z0%x2vKUfuy_K6TB\|l>Z~PO>MP+pU;5FHQ>ZspmZbc8-2o$
		37	zryqb7_Nx8{c<>N7<1+X9h<A^Zu-~^sWA^&TIbWq-;U;II5Gs4$Lb}sM=`V`S4mzQq
		38	zq_OJN=Y~EOibs9I}Y<;-F3647CKEJ-4w57a=DQb9#=9>9@HB$WwFjZhIlIc)`9T
		39	z6kgJL@)8%N^RTLn0liQ+`%UH?s%V<N0_v=&k0$F$eOV>)+x7mhM3JvQ>aRNJ<v*Wo
		40	Br)B^E
		41
		42	literal 0
		43	HcmV?d00001
		44
		45	diff --git a/Tests/images/psd-oob-write-y.psd b/Tests/images/psd-oob-write-y.psd
		46	new file mode 100644
		47	index 0000000000000000000000000000000000000000..73498266a7d732ad70be649718229fa5f07997b7
		48	GIT binary patch
		49	literal 1126
		50	zcma)5O=uHQ5dL=a(;8b^Foz-@_7FWa7ZuI1ZpBhbVM!~r+JpO(Y(sZ9VK++&coe)A
		51	zJot05>cNX=y?XE}2!cN#o<;Pc=tau<y\|;-Qq$v(e-uGtao6MV;t?9-p6r_^lA+Ul;
		52	z2ux8w*YxF;+&6idRpxmrP==@Q<)sTM6nU%4Yf<J=rDaA~)IFh\|?ML\|qzz=$1V@cQ6
		53	zH?C?EUl@A?N2%vcJL+CAjJjYPEWh5$%y?53xeksQYn^tQk<ABaj99R{VUPGa@wuH\|
		54	zSKzzEWqZqXh@TSAhb)lzy\|7y;{wlC5u}X+?xYk(Y+see6JA$ndY;T1=W6m<B;`jmc
		55	ztLrIt1im4#@5QW5ikQJvGq\|$KvqC+AB`jkF1~gcR(T0Z}syqW)A~fjN$MBC!zCo5n
		56	zRvR`M7tw(aQ}Q8Zz!x_+oNsv@\|JGI#BqOBtK396Ssl=-6Z+_FiG\|w0lAOBiy-57
		57	z_JG<?+IKTs<pD5r6L\|JAvsrh5=eK~l4_z}f<^PCnQ(G<I`x9V#132~?C\|yhYMxXHG
		58	z@jGCRy{f+g?%fAYxy-#e=G~Jd{O#MJF@yeb&X=i\|xXGC)gv#JsNO!s@{YA0aK_~Q+
		59	zG<I`HDe0!Y?S`G0Ll!Y!9JJ}1qn4nv=Qg(CBIE>OPS24s{WiA%d1_AHZ7(DiFOZT@
		60	z1~9EBFYiTZJFF^Wz(S#J_M6N(Qqe4Z1=LwlA5GSi`m##ox9j~=340;B^S{69u$O-T
		61	DuU)5R
		62
		63	literal 0
		64	HcmV?d00001
		65
		66	diff --git a/Tests/images/psd-oob-write.psd b/Tests/images/psd-oob-write.psd
		67	new file mode 100644
		68	index 0000000000000000000000000000000000000000..65a4472cf263a94277952c06903709afb0c8213f
		69	GIT binary patch
		70	literal 37212
		71	zcmeI!I\|{-;5CG8e2f;Js6jo_XXCVk)LDH$<2\|S2L%6V+#=3`?OM1sW\|nCvc@*<D_>
		72	zMR_>JEc#fa;nZao?R<!Q8IecK-\|IB4yX<SKuD\|O3S4FwoU#_=vGZZ&X^GNwj%T3Bv
		73	zzi(EzJ?WeF%<9jci0uU7lnIa>L4W`O0t5&U7$GptyKKZoln@\|5fB*pk1ildPmiYor
		74	z3jqQI2oNCfHv$oNL4W`O0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
		75	z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
		76	t009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+0D&I~yZ}A8uQLDu
		77
		78	literal 0
		79	HcmV?d00001
		80
		81	diff --git a/Tests/test_file_psd.py b/Tests/test_file_psd.py
		82	index 38a88cd17..63db7b26a 100644
		83	--- a/Tests/test_file_psd.py
		84	+++ b/Tests/test_file_psd.py
		85	@@ -184,3 +184,20 @@ def test_layer_crashes(test_file: str) -> None:
		86	assert isinstance(im, PsdImagePlugin.PsdImageFile)
		87	with pytest.raises(SyntaxError):
		88	im.layers
		89	+
		90	+
		91	+@pytest.mark.parametrize(
		92	+ "test_file",
		93	+ [
		94	+ "Tests/images/psd-oob-write.psd",
		95	+ "Tests/images/psd-oob-write-x.psd",
		96	+ "Tests/images/psd-oob-write-y.psd",
		97	+ ],
		98	+)
		99	+def test_bounds_crash(test_file: str) -> None:
		100	+ with Image.open(test_file) as im:
		101	+ assert isinstance(im, PsdImagePlugin.PsdImageFile)
		102	+ im.seek(im.n_frames)
		103	+
		104	+ with pytest.raises(ValueError):
		105	+ im.load()
		106	diff --git a/Tests/test_imagefile.py b/Tests/test_imagefile.py
		107	index 7dfb3abf9..2ef9fe2b9 100644
		108	--- a/Tests/test_imagefile.py
		109	+++ b/Tests/test_imagefile.py
		110	@@ -169,6 +169,13 @@ class TestImageFile:
		111	with pytest.raises(ValueError, match="Tile offset cannot be negative"):
		112	im.load()
		113
		114	+ @pytest.mark.parametrize("xy", ((-1, 0), (0, -1)))
		115	+ def test_negative_tile_extents(self, xy: tuple[int, int]) -> None:
		116	+ im = Image.new("1", (1, 1))
		117	+ fp = BytesIO()
		118	+ with pytest.raises(SystemError, match="tile cannot extend outside image"):
		119	+ ImageFile._save(im, fp, [ImageFile._Tile("raw", xy + (1, 1), 0, "1")])
		120	+
		121	def test_no_format(self) -> None:
		122	buf = BytesIO(b"\x00" * 255)
		123
		124	diff --git a/src/decode.c b/src/decode.c
		125	index 051623ed4..7ec461c0e 100644
		126	--- a/src/decode.c
		127	+++ b/src/decode.c
		128	@@ -186,7 +186,8 @@ _setimage(ImagingDecoderObject decoder, PyObject args) {
		129	state->ysize = y1 - y0;
		130	}
		131
		132	- if (state->xsize <= 0 \|\| state->xsize + state->xoff > (int)im->xsize \|\|
		133	+ if (state->xoff < 0 \|\| state->xsize <= 0 \|\|
		134	+ state->xsize + state->xoff > (int)im->xsize \|\| state->yoff < 0 \|\|
		135	state->ysize <= 0 \|\| state->ysize + state->yoff > (int)im->ysize) {
		136	PyErr_SetString(PyExc_ValueError, "tile cannot extend outside image");
		137	return NULL;
		138	diff --git a/src/encode.c b/src/encode.c
		139	index b1d0181e0..117bf2164 100644
		140	--- a/src/encode.c
		141	+++ b/src/encode.c
		142	@@ -254,7 +254,8 @@ _setimage(ImagingEncoderObject encoder, PyObject args) {
		143	state->ysize = y1 - y0;
		144	}
		145
		146	- if (state->xsize <= 0 \|\| state->xsize + state->xoff > im->xsize \|\|
		147	+ if (state->xoff < 0 \|\| state->xsize <= 0 \|\|
		148	+ state->xsize + state->xoff > im->xsize \|\| state->yoff < 0 \|\|
		149	state->ysize <= 0 \|\| state->ysize + state->yoff > im->ysize) {
		150	PyErr_SetString(PyExc_SystemError, "tile cannot extend outside image");
		151	return NULL;


diff --git a/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb b/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb index 4db5db1572..34b462ca4f 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a1b708da743e3fc0e5c35e92daac0bf8"
7		7
8	SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https;tag=${PV} \	8	SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https;tag=${PV} \
9	file://0001-support-cross-compiling.patch \	9	file://0001-support-cross-compiling.patch \
		10	file://CVE-2026-25990.patch \
10	"	11	"
11	SRCREV = "693df7b42c666f88c719f9973be0ad71607328e0"	12	SRCREV = "693df7b42c666f88c719f9973be0ad71607328e0"
12		13
@@ -65,3 +66,7 @@ CVE_PRODUCT = "pillow"
65	RPROVIDES:${PN} += "python3-imaging"	66	RPROVIDES:${PN} += "python3-imaging"
66		67
67	BBCLASSEXTEND = "native"	68	BBCLASSEXTEND = "native"
		69
		70	# CVE-2026-25990.patch in SRC_URI contains a binary blob, which needs to
		71	# be applied with git
		72	PATCHTOOL = "git"