diff --git a/backport-CVE-2020-35655.patch b/backport-CVE-2020-35655.patch
new file mode 100644
index 0000000000000000000000000000000000000000..73c477e1b209e820b06d49899bcffe956434d8eb
--- /dev/null
+++ b/backport-CVE-2020-35655.patch
@@ -0,0 +1,102 @@
+diff -rupN --no-dereference Pillow-7.2.0/src/libImaging/SgiRleDecode.c Pillow-7.2.0-new/src/libImaging/SgiRleDecode.c
+--- Pillow-7.2.0/src/libImaging/SgiRleDecode.c	2020-06-30 09:50:35.000000000 +0200
++++ Pillow-7.2.0-new/src/libImaging/SgiRleDecode.c	2021-01-15 19:51:18.176808192 +0100
+@@ -112,14 +112,33 @@ ImagingSgiRleDecode(Imaging im, ImagingC
+     int err = 0;
+     int status;
+ 
++    /* size check */
++    if (im->xsize > INT_MAX / im->bands ||
++        im->ysize > INT_MAX / im->bands) {
++        state->errcode = IMAGING_CODEC_MEMORY;
++        return -1;
++    }
++
+     /* Get all data from File descriptor */
+     c = (SGISTATE*)state->context;
+     _imaging_seek_pyFd(state->fd, 0L, SEEK_END);
+     c->bufsize = _imaging_tell_pyFd(state->fd);
+     c->bufsize -= SGI_HEADER_SIZE;
++
++    c->tablen = im->bands * im->ysize;
++    /* below, we populate the starttab and lentab into the bufsize,
++       each with 4 bytes per element of tablen
++       Check here before we allocate any memory
++    */
++    if (c->bufsize < 8*c->tablen) {
++        state->errcode = IMAGING_CODEC_OVERRUN;
++        return -1;
++    }
++
+     ptr = malloc(sizeof(UINT8) * c->bufsize);
+     if (!ptr) {
+-        return IMAGING_CODEC_MEMORY;
++        state->errcode = IMAGING_CODEC_MEMORY;
++        return -1;
+     }
+     _imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
+     _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
+@@ -134,18 +153,11 @@ ImagingSgiRleDecode(Imaging im, ImagingC
+         state->ystep = 1;
+     }
+ 
+-    if (im->xsize > INT_MAX / im->bands ||
+-        im->ysize > INT_MAX / im->bands) {
+-        err = IMAGING_CODEC_MEMORY;
+-        goto sgi_finish_decode;
+-    }
+-
+     /* Allocate memory for RLE tables and rows */
+     free(state->buffer);
+     state->buffer = NULL;
+     /* malloc overflow check above */
+     state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2);
+-    c->tablen = im->bands * im->ysize;
+     c->starttab = calloc(c->tablen, sizeof(UINT32));
+     c->lengthtab = calloc(c->tablen, sizeof(UINT32));
+     if (!state->buffer ||
+@@ -176,7 +188,7 @@ ImagingSgiRleDecode(Imaging im, ImagingC
+ 
+             if (c->rleoffset + c->rlelength > c->bufsize) {
+                 state->errcode = IMAGING_CODEC_OVERRUN;
+-                return -1;
++                goto sgi_finish_decode;
+             }
+ 
+             /* row decompression */
+@@ -188,7 +200,7 @@ ImagingSgiRleDecode(Imaging im, ImagingC
+             }
+             if (status == -1) {
+                 state->errcode = IMAGING_CODEC_OVERRUN;
+-                return -1;
++                goto sgi_finish_decode;
+             } else if (status == 1) {
+                 goto sgi_finish_decode;
+             }
+@@ -209,7 +221,8 @@ sgi_finish_decode: ;
+     free(c->lengthtab);
+     free(ptr);
+     if (err != 0){
+-        return err;
++        state->errcode=err;
++        return -1;
+     }
+     return state->count - c->bufsize;
+ }
+diff -rupN --no-dereference Pillow-7.2.0/Tests/test_sgi_crash.py Pillow-7.2.0-new/Tests/test_sgi_crash.py
+--- Pillow-7.2.0/Tests/test_sgi_crash.py	2020-06-30 09:50:35.000000000 +0200
++++ Pillow-7.2.0-new/Tests/test_sgi_crash.py	2021-01-15 19:51:18.176808192 +0100
+@@ -5,7 +5,12 @@ from PIL import Image
+ 
+ @pytest.mark.parametrize(
+     "test_file",
+-    ["Tests/images/sgi_overrun_expandrowF04.bin", "Tests/images/sgi_crash.bin"],
++    [
++        "Tests/images/sgi_overrun_expandrowF04.bin",
++        "Tests/images/sgi_crash.bin",
++        "Tests/images/crash-6b7f2244da6d0ae297ee0754a424213444e92778.sgi",
++        "Tests/images/ossfuzz-5730089102868480.sgi",
++    ],
+ )
+ def test_crashes(test_file):
+     with open(test_file, "rb") as f:
diff --git a/python-pillow.spec b/python-pillow.spec
index 9fee38beb412a16d8155b564172ae9d1d3972961..8414db08888ebddc35c167d1646b5f96f3d98ae8 100644
--- a/python-pillow.spec
+++ b/python-pillow.spec
@@ -3,13 +3,14 @@
 
 Name:               python-pillow
 Version:            7.2.0
-Release:            2
+Release:            3
 Summary:            Python image processing library
 License:            MIT
 URL:                http://python-pillow.github.io/
 Source0:            https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz
 
 Patch0000:          backport-CVE-2020-35653.patch
+Patch6000:          backport-CVE-2020-35655.patch
 
 BuildRequires:      freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel
 BuildRequires:      libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel
@@ -95,6 +96,9 @@ popd
 %doc docs/_build_py3/html
 
 %changelog
+* Tue Feb 23 2021 jinzhimin <jinzhimin2@huawei.com> - 7.2.0-3
+- fix CVE-2020-35655
+
 * Thu Jan 28 2021 renmingshuai <renmingshuai@huawei.com> - 7.2.0-2
 - fix CVE-2020-35653