From fdf83ebd289465a9534b8110a43a03a6cb2e9a5b Mon Sep 17 00:00:00 2001
From: Hitendra Prajapati <hprajapati@mvista.com>
Date: Tue, 28 Apr 2026 11:29:53 +0530
Subject: python3-pillow: fix CVE-2026-40192

Backport commit[1] which fixes this vulnerability as mentioned NVD report in [2].

[1] https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-40192
[3] https://security-tracker.debian.org/tracker/CVE-2026-40192

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
---
 .../python/python3-pillow/CVE-2026-40192.patch     | 50 ++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch

(limited to 'meta-python/recipes-devtools/python/python3-pillow')

diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch
new file mode 100644
index 0000000000..7e8170eec6
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch
@@ -0,0 +1,50 @@
+From 3cb854e8b2bab43f40e342e665f9340d861aa628 Mon Sep 17 00:00:00 2001
+From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Date: Wed, 1 Apr 2026 00:02:08 +0300
+Subject: [PATCH] Only read as much data from gzip-decompressed data as
+ necessary (#9521)
+
+CVE: CVE-2026-40192
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/PIL/FitsImagePlugin.py | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/src/PIL/FitsImagePlugin.py b/src/PIL/FitsImagePlugin.py
+index 071918925..7791adc50 100644
+--- a/src/PIL/FitsImagePlugin.py
++++ b/src/PIL/FitsImagePlugin.py
+@@ -124,17 +124,18 @@ class FitsGzipDecoder(ImageFile.PyDecoder):
+ 
+     def decode(self, buffer):
+         assert self.fd is not None
+-        value = gzip.decompress(self.fd.read())
+-
+-        rows = []
+-        offset = 0
+-        number_of_bits = min(self.args[0] // 8, 4)
+-        for y in range(self.state.ysize):
+-            row = bytearray()
+-            for x in range(self.state.xsize):
+-                row += value[offset + (4 - number_of_bits) : offset + 4]
+-                offset += 4
+-            rows.append(row)
++        with gzip.open(self.fd) as fp:
++            value = fp.read(self.state.xsize * self.state.ysize * 4)
++
++            rows = []
++            offset = 0
++            number_of_bits = min(self.args[0] // 8, 4)
++            for y in range(self.state.ysize):
++                row = bytearray()
++                for x in range(self.state.xsize):
++                    row += value[offset + (4 - number_of_bits) : offset + 4]
++                    offset += 4
++                rows.append(row)
+         self.set_as_raw(bytes([pixel for row in rows[::-1] for pixel in row]))
+         return -1, 0
+ 
+-- 
+2.50.1
+
-- 
cgit v1.2.3-54-g00ecf