Merge branch 'python-pillow:main' into usepcf

Author: fjhenigman

.github/workflows/test.yml

@@ -29,6 +29,7 @@ concurrency:
 env:
   COVERAGE_CORE: sysmon
   FORCE_COLOR: 1
+  PIP_DISABLE_PIP_VERSION_CHECK: 1
 
 jobs:
   build:

Tests/images/psd-oob-write-x.psd

@@ -182,3 +182,20 @@ def test_layer_crashes(test_file: str) -> None:
         assert isinstance(im, PsdImagePlugin.PsdImageFile)
         with pytest.raises(SyntaxError):
             im.layers
+
+
+@pytest.mark.parametrize(
+    "test_file",
+    [
+        "Tests/images/psd-oob-write.psd",
+        "Tests/images/psd-oob-write-x.psd",
+        "Tests/images/psd-oob-write-y.psd",
+    ],
+)
+def test_bounds_crash(test_file: str) -> None:
+    with Image.open(test_file) as im:
+        assert isinstance(im, PsdImagePlugin.PsdImageFile)
+        im.seek(im.n_frames)
+
+        with pytest.raises(ValueError):
+            im.load()

Tests/images/psd-oob-write-y.psd

@@ -163,6 +163,13 @@ def test_negative_offset(self) -> None:
             with pytest.raises(ValueError, match="Tile offset cannot be negative"):
                 im.load()
 
+    @pytest.mark.parametrize("xy", ((-1, 0), (0, -1)))
+    def test_negative_tile_extents(self, xy: tuple[int, int]) -> None:
+        im = Image.new("1", (1, 1))
+        fp = BytesIO()
+        with pytest.raises(SystemError, match="tile cannot extend outside image"):
+            ImageFile._save(im, fp, [ImageFile._Tile("raw", xy + (1, 1), 0, "1")])
+
     def test_no_format(self) -> None:
         buf = BytesIO(b"\x00" * 255)
 

Tests/images/psd-oob-write.psd

@@ -75,7 +75,7 @@ These platforms have been reported to work at the versions mentioned.
 | Operating system                 | | Tested Python             | | Latest tested  | | Tested     |
 |                                  | | versions                  | | Pillow version | | processors |
 +==================================+=============================+==================+==============+
-| macOS 26 Tahoe                   | 3.10, 3.11, 3.12, 3.13, 3.14| 12.0.0           |arm           |
+| macOS 26 Tahoe                   | 3.10, 3.11, 3.12, 3.13, 3.14| 12.1.1           |arm           |
 |                                  +-----------------------------+------------------+              |
 |                                  | 3.9                         | 11.3.0           |              |
 +----------------------------------+-----------------------------+------------------+--------------+

Tests/test_file_psd.py

@@ -0,0 +1,24 @@
+12.1.1
+------
+
+Security
+========
+
+:cve:`2026-25990`: Fix OOB write with invalid tile extents
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Check that tile extents do not use negative x or y offsets when decoding or encoding,
+and raise an error if they do, rather than allowing an OOB write.
+
+An out-of-bounds write may be triggered when opening a specially crafted PSD image.
+This only affects Pillow >= 10.3.0. Reported by
+`Yarden Porat <https://github.com/yardenporat353>`__.
+
+Other changes
+=============
+
+Patch libavif for svt-av1 4.0 compatibility
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+A patch has been added to ``depends/install_libavif.sh``, to allow libavif 1.3.0 to be
+compatible with the recently released svt-av1 4.0.0.

Tests/test_imagefile.py

@@ -15,6 +15,7 @@ expected to be backported to earlier versions.
   :maxdepth: 2
 
   versioning
+  12.1.1
   12.1.0
   12.0.0
   11.3.0

docs/installation/platform-support.rst

@@ -210,8 +210,8 @@ def _save(im: Image.Image, fp: IO[bytes], filename: str | bytes) -> None:
 #
 # --------------------------------------------------------------------
 
-Image.register_save("Palm", _save)
+Image.register_save("PALM", _save)
 
-Image.register_extension("Palm", ".palm")
+Image.register_extension("PALM", ".palm")
 
-Image.register_mime("Palm", "image/palm")
+Image.register_mime("PALM", "image/palm")