diff --git a/python-pillow.spec b/python-pillow.spec
index 7cfff2a..d52aadd 100644
--- a/python-pillow.spec
+++ b/python-pillow.spec
@@ -25,7 +25,7 @@
 
 Name:           python-pillow
 Version:        2.1.0
-Release:        2%{?snap}%{?dist}
+Release:        3%{?snap}%{?dist}
 Summary:        Python image processing library
 
 # License: see http://www.pythonware.com/products/pil/license.htm
@@ -38,6 +38,8 @@ Source0:        https://github.com/python-imaging/Pillow/tarball/%{commit}/pytho
 
 # Add s390* and ppc* archs
 Patch0:         python-pillow-archs.patch
+# Fix memory corruption caused by incorrect palette size
+Patch1:         python-pillow_bytearray.patch$
 
 BuildRequires:  python2-devel
 BuildRequires:  python-setuptools
@@ -207,6 +209,7 @@ PIL image wrapper for Qt.
 %prep
 %setup -q -n python-imaging-Pillow-%{shortcommit}
 %patch0 -p1 -b .archs
+%patch1 -p1 -b .bytes
 
 %if %{with_python3}
 # Create Python 3 source tree
@@ -358,6 +361,9 @@ popd
 %endif
 
 %changelog
+* Wed Aug 28 2013 Sandro Mani <manisandro@gmail.com> - 2.1.0-3
+- Add patch to fix memory corruption caused by invalid palette size, see rhbz#1001122
+
 * Tue Jul 30 2013 Karsten Hopp <karsten@redhat.com> 2.1.0-2
 - Build without webp support on ppc* archs (#988767)
 
diff --git a/python-pillow_bytearray.patch b/python-pillow_bytearray.patch
new file mode 100644
index 0000000..1b8d2f0
--- /dev/null
+++ b/python-pillow_bytearray.patch
@@ -0,0 +1,37 @@
+diff --git a/PIL/Image.py b/PIL/Image.py
+index cafc5a2..794ee49 100644
+--- a/PIL/Image.py
++++ b/PIL/Image.py
+@@ -718,7 +718,7 @@ class Image:
+         if self.mode == "L" and mode == "RGBA" and "transparency" in self.info:
+             from PIL import ImagePalette
+             self.mode = "P"
+-            bytePalette = bytes([i//3 for i in range(768)])
++            bytePalette = bytes(bytearray([i//3 for i in range(768)]))
+             self.palette = ImagePalette.raw("RGB", bytePalette)
+             self.palette.dirty = 1
+             self.load()
+diff --git a/_imaging.c b/_imaging.c
+index 2ee7eef..6ec7346 100644
+--- a/_imaging.c
++++ b/_imaging.c
+@@ -286,6 +286,7 @@ static const char* wrong_mode = "unrecognized image mode";
+ static const char* wrong_raw_mode = "unrecognized raw mode";
+ static const char* outside_image = "image index out of range";
+ static const char* outside_palette = "palette index out of range";
++static const char* wrong_palette_size = "invalid palette size";
+ static const char* no_palette = "image has no palette";
+ static const char* readonly = "image is readonly";
+ /* static const char* no_content = "image has no content"; */
+@@ -1412,6 +1413,11 @@ _putpalette(ImagingObject* self, PyObject* args)
+     return NULL;
+     }
+ 
++    if ( palettesize * 8 / bits > 256) {
++    PyErr_SetString(PyExc_ValueError, wrong_palette_size);
++    return NULL;
++    }
++
+     ImagingPaletteDelete(self->image->palette);
+ 
+     strcpy(self->image->mode, "P");