1 files changed, 91 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch
new file mode 100644
index 0000000000..807207274e
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch
@@ -0,0 +1,91 @@
+From 9000313cc5d4a31bdcdd6d7f0781101abab553aa Mon Sep 17 00:00:00 2001
+From: Andrew Murray <3112309+radarhere@users.noreply.github.com>
+Date: Wed, 11 Feb 2026 10:24:50 +1100
+Subject: [PATCH] Fix OOB Write with invalid tile extents (#9427)
+Co-authored-by: Eric Soroos <eric-github@soroos.net>
+CVE: CVE-2026-25990
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Tests/test_file_psd.py           |  17 +++++++++++++++++
+ Tests/test_imagefile.py          |   7 +++++++
+ src/decode.c                     |   3 ++-
+ src/encode.c                     |   3 ++-
+ 4 files changed, 28 insertions(+), 2 deletions(-)
+diff --git a/Tests/test_file_psd.py b/Tests/test_file_psd.py
+index 484a1be8f..1a98daffe 100644
+--- a/Tests/test_file_psd.py
+++ b/Tests/test_file_psd.py
+@@ -167,3 +167,20 @@ def test_crashes(test_file: str, raises) -> None:
+         with pytest.raises(raises):
+             with Image.open(f):
+                 pass
+
+
+@pytest.mark.parametrize(
+    "test_file",
+    [
+        "Tests/images/psd-oob-write.psd",
+        "Tests/images/psd-oob-write-x.psd",
+        "Tests/images/psd-oob-write-y.psd",
+    ],
+)
+def test_bounds_crash(test_file: str) -> None:
+    with Image.open(test_file) as im:
+        assert isinstance(im, PsdImagePlugin.PsdImageFile)
+        im.seek(im.n_frames)
+
+        with pytest.raises(ValueError):
+            im.load()
+diff --git a/Tests/test_imagefile.py b/Tests/test_imagefile.py
+index ddcae80d6..8aa102729 100644
+--- a/Tests/test_imagefile.py
+++ b/Tests/test_imagefile.py
+@@ -135,6 +135,13 @@ class TestImageFile:
+         with pytest.raises(OSError):
+             p.close()
+ 
+    @pytest.mark.parametrize("xy", ((-1, 0), (0, -1)))
+    def test_negative_tile_extents(self, xy: tuple[int, int]) -> None:
+        im = Image.new("1", (1, 1))
+        fp = BytesIO()
+        with pytest.raises(SystemError, match="tile cannot extend outside image"):
+            ImageFile._save(im, fp, [ImageFile._Tile("raw", xy + (1, 1), 0, "1")])
+
+     def test_no_format(self) -> None:
+         buf = BytesIO(b"\x00" * 255)
+ 
+diff --git a/src/decode.c b/src/decode.c
+index ea2f3af80..43fa0ae3e 100644
+--- a/src/decode.c
+++ b/src/decode.c
+@@ -185,7 +185,8 @@ _setimage(ImagingDecoderObject *decoder, PyObject *args) {
+         state->ysize = y1 - y0;
+     }
+ 
+-    if (state->xsize <= 0 || state->xsize + state->xoff > (int)im->xsize ||
+    if (state->xoff < 0 || state->xsize <= 0 ||
+        state->xsize + state->xoff > (int)im->xsize || state->yoff < 0 ||
+         state->ysize <= 0 || state->ysize + state->yoff > (int)im->ysize) {
+         PyErr_SetString(PyExc_ValueError, "tile cannot extend outside image");
+         return NULL;
+diff --git a/src/encode.c b/src/encode.c
+index c7dd51015..87426cdec 100644
+--- a/src/encode.c
+++ b/src/encode.c
+@@ -250,7 +250,8 @@ _setimage(ImagingEncoderObject *encoder, PyObject *args) {
+         state->ysize = y1 - y0;
+     }
+ 
+-    if (state->xsize <= 0 || state->xsize + state->xoff > im->xsize ||
+    if (state->xoff < 0 || state->xsize <= 0 ||
+        state->xsize + state->xoff > im->xsize || state->yoff < 0 ||
+         state->ysize <= 0 || state->ysize + state->yoff > im->ysize) {
+         PyErr_SetString(PyExc_SystemError, "tile cannot extend outside image");
+         return NULL;
+-- 
+2.50.1

diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch new file mode 100644 index 0000000000..807207274e --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch
@@ -0,0 +1,91 @@
	1	From 9000313cc5d4a31bdcdd6d7f0781101abab553aa Mon Sep 17 00:00:00 2001
	2	From: Andrew Murray <3112309+radarhere@users.noreply.github.com>
	3	Date: Wed, 11 Feb 2026 10:24:50 +1100
	4	Subject: [PATCH] Fix OOB Write with invalid tile extents (#9427)
	5
	6	Co-authored-by: Eric Soroos <eric-github@soroos.net>
	7
	8	CVE: CVE-2026-25990
	9	Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa]
	10	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	11	---
	12	Tests/test_file_psd.py \| 17 +++++++++++++++++
	13	Tests/test_imagefile.py \| 7 +++++++
	14	src/decode.c \| 3 ++-
	15	src/encode.c \| 3 ++-
	16	4 files changed, 28 insertions(+), 2 deletions(-)
	17
	18	diff --git a/Tests/test_file_psd.py b/Tests/test_file_psd.py
	19	index 484a1be8f..1a98daffe 100644
	20	--- a/Tests/test_file_psd.py
	21	+++ b/Tests/test_file_psd.py
	22	@@ -167,3 +167,20 @@ def test_crashes(test_file: str, raises) -> None:
	23	with pytest.raises(raises):
	24	with Image.open(f):
	25	pass
	26	+
	27	+
	28	+@pytest.mark.parametrize(
	29	+ "test_file",
	30	+ [
	31	+ "Tests/images/psd-oob-write.psd",
	32	+ "Tests/images/psd-oob-write-x.psd",
	33	+ "Tests/images/psd-oob-write-y.psd",
	34	+ ],
	35	+)
	36	+def test_bounds_crash(test_file: str) -> None:
	37	+ with Image.open(test_file) as im:
	38	+ assert isinstance(im, PsdImagePlugin.PsdImageFile)
	39	+ im.seek(im.n_frames)
	40	+
	41	+ with pytest.raises(ValueError):
	42	+ im.load()
	43	diff --git a/Tests/test_imagefile.py b/Tests/test_imagefile.py
	44	index ddcae80d6..8aa102729 100644
	45	--- a/Tests/test_imagefile.py
	46	+++ b/Tests/test_imagefile.py
	47	@@ -135,6 +135,13 @@ class TestImageFile:
	48	with pytest.raises(OSError):
	49	p.close()
	50
	51	+ @pytest.mark.parametrize("xy", ((-1, 0), (0, -1)))
	52	+ def test_negative_tile_extents(self, xy: tuple[int, int]) -> None:
	53	+ im = Image.new("1", (1, 1))
	54	+ fp = BytesIO()
	55	+ with pytest.raises(SystemError, match="tile cannot extend outside image"):
	56	+ ImageFile._save(im, fp, [ImageFile._Tile("raw", xy + (1, 1), 0, "1")])
	57	+
	58	def test_no_format(self) -> None:
	59	buf = BytesIO(b"\x00" * 255)
	60
	61	diff --git a/src/decode.c b/src/decode.c
	62	index ea2f3af80..43fa0ae3e 100644
	63	--- a/src/decode.c
	64	+++ b/src/decode.c
	65	@@ -185,7 +185,8 @@ _setimage(ImagingDecoderObject decoder, PyObject args) {
	66	state->ysize = y1 - y0;
	67	}
	68
	69	- if (state->xsize <= 0 \|\| state->xsize + state->xoff > (int)im->xsize \|\|
	70	+ if (state->xoff < 0 \|\| state->xsize <= 0 \|\|
	71	+ state->xsize + state->xoff > (int)im->xsize \|\| state->yoff < 0 \|\|
	72	state->ysize <= 0 \|\| state->ysize + state->yoff > (int)im->ysize) {
	73	PyErr_SetString(PyExc_ValueError, "tile cannot extend outside image");
	74	return NULL;
	75	diff --git a/src/encode.c b/src/encode.c
	76	index c7dd51015..87426cdec 100644
	77	--- a/src/encode.c
	78	+++ b/src/encode.c
	79	@@ -250,7 +250,8 @@ _setimage(ImagingEncoderObject encoder, PyObject args) {
	80	state->ysize = y1 - y0;
	81	}
	82
	83	- if (state->xsize <= 0 \|\| state->xsize + state->xoff > im->xsize \|\|
	84	+ if (state->xoff < 0 \|\| state->xsize <= 0 \|\|
	85	+ state->xsize + state->xoff > im->xsize \|\| state->yoff < 0 \|\|
	86	state->ysize <= 0 \|\| state->ysize + state->yoff > im->ysize) {
	87	PyErr_SetString(PyExc_SystemError, "tile cannot extend outside image");
	88	return NULL;
	89	--
	90	2.50.1
	91