From 657d6ea4b6247f0b23d428fc523a12b07a934f84 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Mon, 9 Feb 2026 11:07:07 +0200
Subject: [PATCH 1/5] CI: Disable pip upgrade warning

---
 .github/workflows/test.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 103d915c0..3a206e269 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -29,6 +29,7 @@ concurrency:
 env:
   COVERAGE_CORE: sysmon
   FORCE_COLOR: 1
+  PIP_DISABLE_PIP_VERSION_CHECK: 1
 
 jobs:
   build:

From 54ba4db542ad3c7b918812a4e2d69c27735a3199 Mon Sep 17 00:00:00 2001
From: Andrew Murray <3112309+radarhere@users.noreply.github.com>
Date: Wed, 11 Feb 2026 10:24:50 +1100
Subject: [PATCH 2/5] Fix OOB Write with invalid tile extents (#9427)

Co-authored-by: Eric Soroos <eric-github@soroos.net>
---
 Tests/images/psd-oob-write-x.psd | Bin 0 -> 1126 bytes
 Tests/images/psd-oob-write-y.psd | Bin 0 -> 1126 bytes
 Tests/images/psd-oob-write.psd   | Bin 0 -> 37212 bytes
 Tests/test_file_psd.py           |  17 +++++++++++++++++
 Tests/test_imagefile.py          |   7 +++++++
 docs/releasenotes/12.1.1.rst     |  24 ++++++++++++++++++++++++
 docs/releasenotes/index.rst      |   1 +
 src/decode.c                     |   3 ++-
 src/encode.c                     |   3 ++-
 9 files changed, 53 insertions(+), 2 deletions(-)
 create mode 100644 Tests/images/psd-oob-write-x.psd
 create mode 100644 Tests/images/psd-oob-write-y.psd
 create mode 100644 Tests/images/psd-oob-write.psd
 create mode 100644 docs/releasenotes/12.1.1.rst

diff --git a/Tests/images/psd-oob-write-x.psd b/Tests/images/psd-oob-write-x.psd
new file mode 100644
index 0000000000000000000000000000000000000000..86359f4cb7e826a69a8e69a4b85947498ec18923
GIT binary patch
literal 1126
zcma)5J!lkB5dL=WC-F>3z$=1SY;juU8Wp`VZp09|z;cO@XbSh|ZgXUJ@7TRX4pIuX
z0SkW`qZT&S+FIBOg5VE`wTL!~HWJqFz0GA0$%PEez3<J;H#cu)wx%1)P>@QFhrkNP
zAuvV#TGJPoazEr{TAAgkKpC9EmzOT6P~@#DuSJ<hm6j=CQFnxTwjbr^06*x3jRjp>
zUAwN0ePiq~9H(A1?WlXnFzSMFu>5&1Gvi%V<T^NJq;=A1Mm8UyF=Ec{hCSk&#20S$
zx&q%PF54TXL;Re0He`XsABEjY@ppk;iB&?B!<EK7-&Q8p+#zfYVS6L=8FQX76~_;l
zUtLYHBk-2Mz8AALDPjf_&EVQH&kFSv7O;pV7|>uLMjIY_sPYVGiO`^5AHhE<`36}Q
zS#8*4Tt){zOv#6s0b?jxZ==?^v(ltY=s@91lKeUijNJuxx0B@W<0RRA0^~jeuY!!<
z*#T<5Y2VIll}EtTZQ#Z0%x2vKUfuy_K6TB|l>Z~PO>MP+pU;5FHQ>ZspmZbc8-2o$
zryqb7_Nx8{c<>N7<1+X9h<A^Zu-~^sWA^&TIbWq-;U;II5Gs4$Lb}sM=`V`S4mzQq
zq_OJ*N=Y~EO*ibs9I}Y<;-F3647CKEJ-4w57a=DQb9#=9>9@HB$WwFjZhIlIc)`9T
z6kgJL@)8%N^RTLn0liQ+`%UH?s%V<N0_v=&k0$F$eOV>)+x7mhM3JvQ>aRNJ<v*Wo
Br)B^E

literal 0
HcmV?d00001

diff --git a/Tests/images/psd-oob-write-y.psd b/Tests/images/psd-oob-write-y.psd
new file mode 100644
index 0000000000000000000000000000000000000000..73498266a7d732ad70be649718229fa5f07997b7
GIT binary patch
literal 1126
zcma)5O=uHQ5dL=a(;8b^Foz-@_7FWa7ZuI1ZpBhbVM!~r+JpO(Y(sZ9VK++&coe)A
zJot05>cNX=y?XE}2!cN#o<;Pc=tau<y|;-Qq$v(e-uGtao6MV;t?9-p6r_^lA+Ul;
z2ux8w*YxF;+&6idRpxmrP==@Q<)sTM6nU%4Yf<J=rDaA~)IFh|?ML|qzz=$1V@cQ6
zH?C?EUl@A?N2%vcJL+CAjJjYPEWh5$%y?53xeksQYn^tQk<ABaj99R{VUPGa@wuH|
zSKzzEWqZqXh@TSAhb)lzy|7y;{wlC5u}X+?xYk(Y+see6JA$ndY;T1=W6m<B;`jmc
ztLrIt1im4#@5QW5ikQJvGq|$KvqC+AB`jkF1~gcR(T0Z}syqW)A~fjN$MBC!zCo5n
zRvR`M7tw(aQ}Q8Zz!*x_+o*Nsv@|JGI#BqOBtK396Ssl=-6Z+_FiG|w0lAOBiy-57
z_JG<?+IKTs<pD5r6L|JAvsrh5=eK~l4_z}f<^PCnQ(G<I`x9V#132~?C|yhYMxXHG
z@jGCRy{f+g?%fAYxy-#e=G~Jd{O#MJF@yeb&X=i|xXGC)gv#JsNO!s@{YA0aK_~Q+
zG<I`HDe0!Y?S`G0Ll!Y!9JJ}1qn4nv=Qg(CBIE>OPS24s{WiA%d1_AHZ7(DiFOZT@
z1~9EBFYiTZJFF^Wz(S#J_M6N(Qqe4Z1=LwlA5GSi`m##ox9j~=340;B^S{69u$O-T
DuU)5R

literal 0
HcmV?d00001

diff --git a/Tests/images/psd-oob-write.psd b/Tests/images/psd-oob-write.psd
new file mode 100644
index 0000000000000000000000000000000000000000..65a4472cf263a94277952c06903709afb0c8213f
GIT binary patch
literal 37212
zcmeI!I|{-;5CG8e2f;Js6jo_XXCVk)LDH$<2|S2L%6V+#=3`?OM1sW|nCvc@*<D_>
zMR_>JEc#fa;nZao?R<!Q8IecK-|IB4yX<SKuD|O3S4FwoU#_=vGZZ&X^GNwj%T3Bv
zzi(EzJ?WeF%<9jci0uU7lnIa>L4W`O0t5&U7$GptyKKZoln@|5fB*pk1ildPmiYor
z3jqQI2oNCfHv$oNL4W`O0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
t009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+0D&I~yZ}A8uQLDu

literal 0
HcmV?d00001

diff --git a/Tests/test_file_psd.py b/Tests/test_file_psd.py
index 8f2ca58a6..8a2636dfe 100644
--- a/Tests/test_file_psd.py
+++ b/Tests/test_file_psd.py
@@ -182,3 +182,20 @@ def test_layer_crashes(test_file: str) -> None:
         assert isinstance(im, PsdImagePlugin.PsdImageFile)
         with pytest.raises(SyntaxError):
             im.layers
+
+
+@pytest.mark.parametrize(
+    "test_file",
+    [
+        "Tests/images/psd-oob-write.psd",
+        "Tests/images/psd-oob-write-x.psd",
+        "Tests/images/psd-oob-write-y.psd",
+    ],
+)
+def test_bounds_crash(test_file: str) -> None:
+    with Image.open(test_file) as im:
+        assert isinstance(im, PsdImagePlugin.PsdImageFile)
+        im.seek(im.n_frames)
+
+        with pytest.raises(ValueError):
+            im.load()
diff --git a/Tests/test_imagefile.py b/Tests/test_imagefile.py
index 8a0abbd39..6656ee506 100644
--- a/Tests/test_imagefile.py
+++ b/Tests/test_imagefile.py
@@ -163,6 +163,13 @@ class TestImageFile:
             with pytest.raises(ValueError, match="Tile offset cannot be negative"):
                 im.load()
 
+    @pytest.mark.parametrize("xy", ((-1, 0), (0, -1)))
+    def test_negative_tile_extents(self, xy: tuple[int, int]) -> None:
+        im = Image.new("1", (1, 1))
+        fp = BytesIO()
+        with pytest.raises(SystemError, match="tile cannot extend outside image"):
+            ImageFile._save(im, fp, [ImageFile._Tile("raw", xy + (1, 1), 0, "1")])
+
     def test_no_format(self) -> None:
         buf = BytesIO(b"\x00" * 255)
 
diff --git a/docs/releasenotes/12.1.1.rst b/docs/releasenotes/12.1.1.rst
new file mode 100644
index 000000000..9c119ceb8
--- /dev/null
+++ b/docs/releasenotes/12.1.1.rst
@@ -0,0 +1,24 @@
+12.1.1
+------
+
+Security
+========
+
+:cve:`2021-25289`: Fix OOB write with invalid tile extents
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Check that tile extents do not use negative x or y offsets when decoding or encoding,
+and raise an error if they do, rather than allowing an OOB write.
+
+An out-of-bounds write may be triggered when opening a specially crafted PSD image.
+This only affects Pillow >= 10.3.0. Reported by
+`Yarden Porat <https://github.com/yardenporat353>`__.
+
+Other changes
+=============
+
+Patch libavif for svt-av1 4.0 compatibility
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+A patch has been added to ``depends/install_libavif.sh``, to allow libavif 1.3.0 to be
+compatible with the recently released svt-av1 4.0.0.
diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst
index 4b25bb6a2..690be2072 100644
--- a/docs/releasenotes/index.rst
+++ b/docs/releasenotes/index.rst
@@ -15,6 +15,7 @@ expected to be backported to earlier versions.
   :maxdepth: 2
 
   versioning
+  12.1.1
   12.1.0
   12.0.0
   11.3.0
diff --git a/src/decode.c b/src/decode.c
index 051623ed4..7ec461c0e 100644
--- a/src/decode.c
+++ b/src/decode.c
@@ -186,7 +186,8 @@ _setimage(ImagingDecoderObject *decoder, PyObject *args) {
         state->ysize = y1 - y0;
     }
 
-    if (state->xsize <= 0 || state->xsize + state->xoff > (int)im->xsize ||
+    if (state->xoff < 0 || state->xsize <= 0 ||
+        state->xsize + state->xoff > (int)im->xsize || state->yoff < 0 ||
         state->ysize <= 0 || state->ysize + state->yoff > (int)im->ysize) {
         PyErr_SetString(PyExc_ValueError, "tile cannot extend outside image");
         return NULL;
diff --git a/src/encode.c b/src/encode.c
index 513309c8d..06e4a0893 100644
--- a/src/encode.c
+++ b/src/encode.c
@@ -254,7 +254,8 @@ _setimage(ImagingEncoderObject *encoder, PyObject *args) {
         state->ysize = y1 - y0;
     }
 
-    if (state->xsize <= 0 || state->xsize + state->xoff > im->xsize ||
+    if (state->xoff < 0 || state->xsize <= 0 ||
+        state->xsize + state->xoff > im->xsize || state->yoff < 0 ||
         state->ysize <= 0 || state->ysize + state->yoff > im->ysize) {
         PyErr_SetString(PyExc_SystemError, "tile cannot extend outside image");
         return NULL;

From a15f9c6121b236e1463b798131c07bd1ab08ffc6 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Wed, 11 Feb 2026 13:48:11 +0200
Subject: [PATCH 3/5] Fix CVE number (#9430)

---
 docs/releasenotes/12.1.1.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/releasenotes/12.1.1.rst b/docs/releasenotes/12.1.1.rst
index 9c119ceb8..86083b4ad 100644
--- a/docs/releasenotes/12.1.1.rst
+++ b/docs/releasenotes/12.1.1.rst
@@ -4,7 +4,7 @@
 Security
 ========
 
-:cve:`2021-25289`: Fix OOB write with invalid tile extents
+:cve:`2026-25990`: Fix OOB write with invalid tile extents
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 Check that tile extents do not use negative x or y offsets when decoding or encoding,

From 27765189c8d7edb7a17ea0dbefcc258e5ee7e427 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Wed, 11 Feb 2026 23:51:33 +1100
Subject: [PATCH 4/5] Updated macOS tested Pillow versions

---
 docs/installation/platform-support.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/installation/platform-support.rst b/docs/installation/platform-support.rst
index 0789b02b7..7a8707b9a 100644
--- a/docs/installation/platform-support.rst
+++ b/docs/installation/platform-support.rst
@@ -75,7 +75,7 @@ These platforms have been reported to work at the versions mentioned.
 | Operating system                 | | Tested Python             | | Latest tested  | | Tested     |
 |                                  | | versions                  | | Pillow version | | processors |
 +==================================+=============================+==================+==============+
-| macOS 26 Tahoe                   | 3.10, 3.11, 3.12, 3.13, 3.14| 12.0.0           |arm           |
+| macOS 26 Tahoe                   | 3.10, 3.11, 3.12, 3.13, 3.14| 12.1.1           |arm           |
 |                                  +-----------------------------+------------------+              |
 |                                  | 3.9                         | 11.3.0           |              |
 +----------------------------------+-----------------------------+------------------+--------------+

From 3795a1b916b690d1f23d9230c65718a75b9dfa26 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Thu, 12 Feb 2026 19:58:36 +1100
Subject: [PATCH 5/5] Use uppercase format id

---
 src/PIL/PalmImagePlugin.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/PIL/PalmImagePlugin.py b/src/PIL/PalmImagePlugin.py
index 15f712908..232adf3d3 100644
--- a/src/PIL/PalmImagePlugin.py
+++ b/src/PIL/PalmImagePlugin.py
@@ -210,8 +210,8 @@ def _save(im: Image.Image, fp: IO[bytes], filename: str | bytes) -> None:
 #
 # --------------------------------------------------------------------
 
-Image.register_save("Palm", _save)
+Image.register_save("PALM", _save)
 
-Image.register_extension("Palm", ".palm")
+Image.register_extension("PALM", ".palm")
 
-Image.register_mime("Palm", "image/palm")
+Image.register_mime("PALM", "image/palm")