From 3cb854e8b2bab43f40e342e665f9340d861aa628 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Wed, 1 Apr 2026 00:02:08 +0300
Subject: [PATCH] Only read as much data from gzip-decompressed data as
 necessary (#9521)

CVE: CVE-2026-40192
Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 src/PIL/FitsImagePlugin.py | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/src/PIL/FitsImagePlugin.py b/src/PIL/FitsImagePlugin.py
index 071918925..7791adc50 100644
--- a/src/PIL/FitsImagePlugin.py
+++ b/src/PIL/FitsImagePlugin.py
@@ -124,17 +124,18 @@ class FitsGzipDecoder(ImageFile.PyDecoder):
 
     def decode(self, buffer):
         assert self.fd is not None
-        value = gzip.decompress(self.fd.read())
-
-        rows = []
-        offset = 0
-        number_of_bits = min(self.args[0] // 8, 4)
-        for y in range(self.state.ysize):
-            row = bytearray()
-            for x in range(self.state.xsize):
-                row += value[offset + (4 - number_of_bits) : offset + 4]
-                offset += 4
-            rows.append(row)
+        with gzip.open(self.fd) as fp:
+            value = fp.read(self.state.xsize * self.state.ysize * 4)
+
+            rows = []
+            offset = 0
+            number_of_bits = min(self.args[0] // 8, 4)
+            for y in range(self.state.ysize):
+                row = bytearray()
+                for x in range(self.state.xsize):
+                    row += value[offset + (4 - number_of_bits) : offset + 4]
+                    offset += 4
+                rows.append(row)
         self.set_as_raw(bytes([pixel for row in rows[::-1] for pixel in row]))
         return -1, 0
 
-- 
2.50.1