python-pillow/CVE-2026-55380.patch
Lumir Balhar 4a648bc0d4 Security fix for CVE-2026-54059, CVE-2026-54060, CVE-2026-55379, CVE-2026-55380
Resolves: RHEL-192830, RHEL-192770, RHEL-192684, RHEL-192731
2026-07-10 11:55:04 +00:00

37 lines
1.0 KiB
Diff

From 5b9cc2556f54493f15420ecc842c54b81845930d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lum=C3=ADr=20Balhar?= <lbalhar@redhat.com>
Date: Wed, 8 Jul 2026 13:03:39 +0000
Subject: [PATCH 2/2] Add decompression bomb check to GdImageFile
Fixes CVE-2026-55380
Backport of upstream commit f39b0ae6624eb2d7c5c5d651d9bb5fdbd96a8675
---
src/PIL/GdImageFile.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/PIL/GdImageFile.py b/src/PIL/GdImageFile.py
index 09ab5ec..f3c0e1d 100644
--- a/src/PIL/GdImageFile.py
+++ b/src/PIL/GdImageFile.py
@@ -23,7 +23,7 @@
# purposes only.
-from . import ImageFile, ImagePalette
+from . import Image, ImageFile, ImagePalette
from ._binary import i16be as i16
from ._util import isPath
@@ -55,6 +55,8 @@ class GdImageFile(ImageFile.ImageFile):
self.mode = "L" # FIXME: "P"
self.size = i16(s[0:2]), i16(s[2:4])
+ Image._decompression_bomb_check(self.size)
+
# transparency index
tindex = i16(s[5:7])
if tindex < 256:
--
2.54.0