From 5debc09d32d03b1d0e3ad4b1a6967a63df966acf Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 19 Mar 2026 16:53:43 +0000 Subject: [PATCH 1/2] Replace all remaining sprintf() with snprintf() Replace unsafe sprintf() calls with bounds-checked snprintf() in: - src/libImaging/QuantPngQuant.c (version string) - src/libImaging/JpegEncode.c (version string) - src/_webp.c (error messages and version string, 4 call sites) This is consistent with the fix applied in CVE-2024-28219 which addressed the same class of vulnerability in font rendering code. Security: CWE-120 (Buffer Copy without Checking Size of Input) --- src/_webp.c | 12 +++++++----- src/libImaging/JpegEncode.c | 2 +- src/libImaging/QuantPngQuant.c | 2 +- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/src/_webp.c b/src/_webp.c index d065e329c6b..d1ad742d5e2 100644 --- a/src/_webp.c +++ b/src/_webp.c @@ -53,10 +53,10 @@ HandleMuxError(WebPMuxError err, char *chunk) { // Create the error message if (chunk == NULL) { message_len = - sprintf(message, "could not assemble chunks: %s", kErrorMessages[-err]); + snprintf(message, sizeof(message), "could not assemble chunks: %s", kErrorMessages[-err]); } else { - message_len = sprintf( - message, "could not set %.4s chunk: %s", chunk, kErrorMessages[-err] + message_len = snprintf( + message, sizeof(message), "could not set %.4s chunk: %s", chunk, kErrorMessages[-err] ); } if (message_len < 0) { @@ -649,8 +649,9 @@ WebPEncode_wrapper(PyObject *self, PyObject *args) { int error_code = (&pic)->error_code; char message[50] = ""; if (error_code == VP8_ENC_ERROR_BAD_DIMENSION) { - sprintf( + snprintf( message, + sizeof(message), ": Image size exceeds WebP limit of %d pixels", WEBP_MAX_DIMENSION ); @@ -743,8 +744,9 @@ const char * WebPDecoderVersion_str(void) { static char version[20]; int version_number = WebPGetDecoderVersion(); - sprintf( + snprintf( version, + sizeof(version), "%d.%d.%d", version_number >> 16, (version_number >> 8) % 0x100, diff --git a/src/libImaging/JpegEncode.c b/src/libImaging/JpegEncode.c index 098e431fca0..6925592c650 100644 --- a/src/libImaging/JpegEncode.c +++ b/src/libImaging/JpegEncode.c @@ -402,7 +402,7 @@ ImagingJpegEncode(Imaging im, ImagingCodecState state, UINT8 *buf, int bytes) { const char * ImagingJpegVersion(void) { static char version[20]; - sprintf(version, "%d.%d", JPEG_LIB_VERSION / 10, JPEG_LIB_VERSION % 10); + snprintf(version, sizeof(version), "%d.%d", JPEG_LIB_VERSION / 10, JPEG_LIB_VERSION % 10); return version; } diff --git a/src/libImaging/QuantPngQuant.c b/src/libImaging/QuantPngQuant.c index a2258c3a289..d731cb53ce7 100644 --- a/src/libImaging/QuantPngQuant.c +++ b/src/libImaging/QuantPngQuant.c @@ -126,7 +126,7 @@ const char * ImagingImageQuantVersion(void) { static char version[20]; int number = liq_version(); - sprintf(version, "%d.%d.%d", number / 10000, (number / 100) % 100, number % 100); + snprintf(version, sizeof(version), "%d.%d.%d", number / 10000, (number / 100) % 100, number % 100); return version; } From 6e8b879db6fb4cafe79ff99df7c4fbf881cf5c59 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 19 Mar 2026 16:55:53 +0000 Subject: [PATCH 2/2] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- src/_webp.c | 14 +++++++++++--- src/libImaging/JpegEncode.c | 4 +++- src/libImaging/QuantPngQuant.c | 9 ++++++++- 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/src/_webp.c b/src/_webp.c index d1ad742d5e2..4f627a90b24 100644 --- a/src/_webp.c +++ b/src/_webp.c @@ -52,11 +52,19 @@ HandleMuxError(WebPMuxError err, char *chunk) { // Create the error message if (chunk == NULL) { - message_len = - snprintf(message, sizeof(message), "could not assemble chunks: %s", kErrorMessages[-err]); + message_len = snprintf( + message, + sizeof(message), + "could not assemble chunks: %s", + kErrorMessages[-err] + ); } else { message_len = snprintf( - message, sizeof(message), "could not set %.4s chunk: %s", chunk, kErrorMessages[-err] + message, + sizeof(message), + "could not set %.4s chunk: %s", + chunk, + kErrorMessages[-err] ); } if (message_len < 0) { diff --git a/src/libImaging/JpegEncode.c b/src/libImaging/JpegEncode.c index 6925592c650..d61094ad7b2 100644 --- a/src/libImaging/JpegEncode.c +++ b/src/libImaging/JpegEncode.c @@ -402,7 +402,9 @@ ImagingJpegEncode(Imaging im, ImagingCodecState state, UINT8 *buf, int bytes) { const char * ImagingJpegVersion(void) { static char version[20]; - snprintf(version, sizeof(version), "%d.%d", JPEG_LIB_VERSION / 10, JPEG_LIB_VERSION % 10); + snprintf( + version, sizeof(version), "%d.%d", JPEG_LIB_VERSION / 10, JPEG_LIB_VERSION % 10 + ); return version; } diff --git a/src/libImaging/QuantPngQuant.c b/src/libImaging/QuantPngQuant.c index d731cb53ce7..9fd2d8e5101 100644 --- a/src/libImaging/QuantPngQuant.c +++ b/src/libImaging/QuantPngQuant.c @@ -126,7 +126,14 @@ const char * ImagingImageQuantVersion(void) { static char version[20]; int number = liq_version(); - snprintf(version, sizeof(version), "%d.%d.%d", number / 10000, (number / 100) % 100, number % 100); + snprintf( + version, + sizeof(version), + "%d.%d.%d", + number / 10000, + (number / 100) % 100, + number % 100 + ); return version; }