From a94def348a72786e433e19dbc7c8cdd5bef02e11 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sat, 20 Jun 2026 11:53:14 +1000
Subject: [PATCH 1/2] Validate large filter sizes when initializing RankFilter

---
 Tests/test_image_filter.py | 3 +++
 src/PIL/ImageFilter.py     | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/Tests/test_image_filter.py b/Tests/test_image_filter.py
index 5a7d3f90a0a..cebf1791ede 100644
--- a/Tests/test_image_filter.py
+++ b/Tests/test_image_filter.py
@@ -150,6 +150,9 @@ def test_rankfilter_properties() -> None:
     with pytest.raises(ValueError, match="bad filter size"):
         ImageFilter.MinFilter(2)
 
+    with pytest.raises(ValueError, match="filter size too large"):
+        ImageFilter.RankFilter(23171, 1)
+
     with pytest.raises(ValueError, match="bad rank value"):
         ImageFilter.RankFilter(1, 1)
 
diff --git a/src/PIL/ImageFilter.py b/src/PIL/ImageFilter.py
index fb08e9439a3..af15e18c2f3 100644
--- a/src/PIL/ImageFilter.py
+++ b/src/PIL/ImageFilter.py
@@ -102,6 +102,9 @@ def __init__(self, size: int, rank: int) -> None:
         if size % 2 == 0:
             msg = "bad filter size"
             raise ValueError(msg)
+        if size * size * 4 > (2**31 - 1):
+            msg = "filter size too large"
+            raise ValueError(msg)
         if rank < 0 or rank >= size * size:
             msg = "bad rank value"
             raise ValueError(msg)

From dff01a0821c1f1cc8fa35cee5cc08e86399aac7c Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sat, 6 Jun 2026 23:01:14 +1000
Subject: [PATCH 2/2] Validate margin in ImagingExpand

---
 Tests/test_image_filter.py | 3 +++
 src/libImaging/Filter.c    | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/Tests/test_image_filter.py b/Tests/test_image_filter.py
index cebf1791ede..6fe6b594f61 100644
--- a/Tests/test_image_filter.py
+++ b/Tests/test_image_filter.py
@@ -152,6 +152,9 @@ def test_rankfilter_properties() -> None:
 
     with pytest.raises(ValueError, match="filter size too large"):
         ImageFilter.RankFilter(23171, 1)
+    im = Image.new("1", (1, 1))
+    with pytest.raises(ValueError, match="filter size too large"):
+        im.im.expand(23171)
 
     with pytest.raises(ValueError, match="bad rank value"):
         ImageFilter.RankFilter(1, 1)
diff --git a/src/libImaging/Filter.c b/src/libImaging/Filter.c
index 9b09bf2c6b7..f609b2be8c6 100644
--- a/src/libImaging/Filter.c
+++ b/src/libImaging/Filter.c
@@ -59,6 +59,9 @@ ImagingExpand(Imaging imIn, int margin) {
     if (margin < 0) {
         return (Imaging)ImagingError_ValueError("bad kernel size");
     }
+    if (margin > INT_MAX / (margin * (int)sizeof(FLOAT32))) {
+        return (Imaging)ImagingError_ValueError("filter size too large");
+    }
 
     imOut =
         ImagingNewDirty(imIn->mode, imIn->xsize + 2 * margin, imIn->ysize + 2 * margin);