From 26e592961707b84111315e4a08f4d382289647bb Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Tue, 22 Dec 2020 16:06:44 +1100
Subject: [PATCH 1/2] Fixed comparison between int and unsigned long

---
 src/_imaging.c              | 2 +-
 src/libImaging/Draw.c       | 6 +++---
 src/libImaging/RankFilter.c | 2 +-
 src/libImaging/Resample.c   | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/_imaging.c b/src/_imaging.c
index 0b0cfe3f89d..0f8c9d61f3c 100644
--- a/src/_imaging.c
+++ b/src/_imaging.c
@@ -3928,7 +3928,7 @@ _set_blocks_max(PyObject* self, PyObject* args)
             "blocks_max should be greater than 0");
         return NULL;
     }
-    else if ( blocks_max > SIZE_MAX/sizeof(ImagingDefaultArena.blocks_pool[0])) {
+    else if ( (unsigned long)blocks_max > SIZE_MAX/sizeof(ImagingDefaultArena.blocks_pool[0])) {
         PyErr_SetString(PyExc_ValueError,
             "blocks_max is too large");
         return NULL;
diff --git a/src/libImaging/Draw.c b/src/libImaging/Draw.c
index a2b2b10f37c..339e1cd35b8 100644
--- a/src/libImaging/Draw.c
+++ b/src/libImaging/Draw.c
@@ -1115,7 +1115,7 @@ int clip_tree_do_clip(clip_node* root, int32_t x0, int32_t y, int32_t x1, event_
       if ((root->type == CT_OR && (
               (t->type == 1 && (tail == NULL || tail->type == -1)) ||
               (t->type == -1 && k1 == 0 && k2 == 0)
-          )) || 
+          )) ||
           (root->type == CT_AND && (
               (t->type == 1 && (tail == NULL || tail->type == -1) && k1 > 0 && k2 > 0) ||
               (t->type == -1 && tail != NULL && tail->type == 1 && (k1 == 0 || k2 == 0))
@@ -1359,7 +1359,7 @@ void pie_init(clip_ellipse_state* s, int32_t a, int32_t b, int32_t w, float al,
   rc->a = yr;
   rc->b = -xr;
   rc->c = 0;
-        
+
   s->root = s->nodes + s->node_count++;
   s->root->l = lc;
   s->root->r = rc;
@@ -1630,7 +1630,7 @@ allocate(ImagingOutline outline, int extra)
             /* malloc check ok, uses calloc for overflow */
             e = calloc(outline->size, sizeof(Edge));
         } else {
-            if (outline->size > INT_MAX / sizeof(Edge)) {
+            if (outline->size > INT_MAX / (int)sizeof(Edge)) {
                 return NULL;
             }
             /* malloc check ok, overflow checked above */
diff --git a/src/libImaging/RankFilter.c b/src/libImaging/RankFilter.c
index e4f2679b2cd..897e4d7b6ba 100644
--- a/src/libImaging/RankFilter.c
+++ b/src/libImaging/RankFilter.c
@@ -72,7 +72,7 @@ ImagingRankFilter(Imaging im, int size, int rank)
 
     /* malloc check ok, for overflow in the define below */
     if (size > INT_MAX / size ||
-        size > INT_MAX / (size * sizeof(FLOAT32))) {
+        size > INT_MAX / (size * (int)sizeof(FLOAT32))) {
         return (Imaging) ImagingError_ValueError("filter size too large");
     }
 
diff --git a/src/libImaging/Resample.c b/src/libImaging/Resample.c
index ec35303d8c5..b12e023f8c5 100644
--- a/src/libImaging/Resample.c
+++ b/src/libImaging/Resample.c
@@ -208,7 +208,7 @@ precompute_coeffs(int inSize, float in0, float in1, int outSize,
     ksize = (int) ceil(support) * 2 + 1;
 
     // check for overflow
-    if (outSize > INT_MAX / (ksize * sizeof(double))) {
+    if (outSize > INT_MAX / (ksize * (int)sizeof(double))) {
         ImagingError_MemoryError();
         return 0;
     }

From 36dc83e3ac2437b34253bdc66f2bffa4362e2537 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Tue, 22 Dec 2020 16:07:32 +1100
Subject: [PATCH 2/2] Fixed comparison between unsigned int and int

---
 src/libImaging/Jpeg2KDecode.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/libImaging/Jpeg2KDecode.c b/src/libImaging/Jpeg2KDecode.c
index b08e607a706..8cce5454f40 100644
--- a/src/libImaging/Jpeg2KDecode.c
+++ b/src/libImaging/Jpeg2KDecode.c
@@ -742,10 +742,12 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
            swapped), bail. */
         if (tile_info.x0 >= tile_info.x1
             || tile_info.y0 >= tile_info.y1
-            || tile_info.x0 < (OPJ_INT32)image->x0
-            || tile_info.y0 < (OPJ_INT32)image->y0
-            || tile_info.x1 - image->x0 > im->xsize
-            || tile_info.y1 - image->y0 > im->ysize) {
+            || tile_info.x0 < 0
+            || tile_info.y0 < 0
+            || (OPJ_UINT32)tile_info.x0 < image->x0
+            || (OPJ_UINT32)tile_info.y0 < image->y0
+            || (OPJ_INT32)(tile_info.x1 - image->x0) > im->xsize
+            || (OPJ_INT32)(tile_info.y1 - image->y0) > im->ysize) {
             state->errcode = IMAGING_CODEC_BROKEN;
             state->state = J2K_STATE_FAILED;
             goto quick_exit;