From 9ff51ff643e3f3aae57ae02e65733ca34c4e6a6b Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Thu, 19 Mar 2026 16:52:05 +0000
Subject: [PATCH 1/2] Fix integer overflow in quantize_pngquant() and replace
 sprintf

- Add overflow check for width * height before malloc() to prevent
  heap buffer overflow when the product exceeds UINT_MAX
- Use size_t for total_pixels to ensure correct arithmetic on 64-bit
- Replace sprintf with snprintf (consistent with CVE-2024-28219 fix)

Security: CWE-190 (Integer Overflow) -> CWE-122 (Heap Buffer Overflow)
---
 src/libImaging/QuantPngQuant.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/libImaging/QuantPngQuant.c b/src/libImaging/QuantPngQuant.c
index a2258c3a289..435a0a70706 100644
--- a/src/libImaging/QuantPngQuant.c
+++ b/src/libImaging/QuantPngQuant.c
@@ -8,6 +8,7 @@
  *
  */
 
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -39,6 +40,13 @@ quantize_pngquant(
     *paletteLength = 0;
     *quantizedPixels = NULL;
 
+    /* Check for integer overflow in width * height to prevent
+     * undersized allocations leading to heap buffer overflow. */
+    if (height != 0 && (size_t)width > SIZE_MAX / (size_t)height) {
+        goto err;
+    }
+    size_t total_pixels = (size_t)width * (size_t)height;
+
     /* configure pngquant */
     attr = liq_attr_create();
     if (!attr) {
@@ -77,7 +85,7 @@ quantize_pngquant(
     }
 
     /* write output pixels (pngquant uses char array) */
-    charMatrix = malloc(width * height);
+    charMatrix = malloc(total_pixels);
     if (!charMatrix) {
         goto err;
     }
@@ -86,18 +94,18 @@ quantize_pngquant(
         goto err;
     }
     for (y = 0; y < height; y++) {
-        charMatrixRows[y] = &charMatrix[y * width];
+        charMatrixRows[y] = &charMatrix[(size_t)y * width];
     }
     if (LIQ_OK != liq_write_remapped_image_rows(remap, image, charMatrixRows)) {
         goto err;
     }
 
     /* transcribe output pixels (pillow uses uint32_t array) */
-    *quantizedPixels = malloc(sizeof(uint32_t) * width * height);
+    *quantizedPixels = malloc(sizeof(uint32_t) * total_pixels);
     if (!*quantizedPixels) {
         goto err;
     }
-    for (i = 0; i < width * height; i++) {
+    for (i = 0; i < total_pixels; i++) {
         (*quantizedPixels)[i] = charMatrix[i];
     }
 
@@ -126,7 +134,7 @@ const char *
 ImagingImageQuantVersion(void) {
     static char version[20];
     int number = liq_version();
-    sprintf(version, "%d.%d.%d", number / 10000, (number / 100) % 100, number % 100);
+    snprintf(version, sizeof(version), "%d.%d.%d", number / 10000, (number / 100) % 100, number % 100);
     return version;
 }
 

From a6f86102209722b4ce7c02bed09fc6be058e3de9 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Thu, 19 Mar 2026 16:54:50 +0000
Subject: [PATCH 2/2] [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci
---
 src/libImaging/QuantPngQuant.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/libImaging/QuantPngQuant.c b/src/libImaging/QuantPngQuant.c
index 435a0a70706..e8c3f6a6727 100644
--- a/src/libImaging/QuantPngQuant.c
+++ b/src/libImaging/QuantPngQuant.c
@@ -134,7 +134,14 @@ const char *
 ImagingImageQuantVersion(void) {
     static char version[20];
     int number = liq_version();
-    snprintf(version, sizeof(version), "%d.%d.%d", number / 10000, (number / 100) % 100, number % 100);
+    snprintf(
+        version,
+        sizeof(version),
+        "%d.%d.%d",
+        number / 10000,
+        (number / 100) % 100,
+        number % 100
+    );
     return version;
 }