Replace all remaining sprintf() with snprintf()

Your Name · Your Name · commit 5debc09d32d0 · 2026-03-19T16:53:43.000Z
Replace unsafe sprintf() calls with bounds-checked snprintf() in: - src/libImaging/QuantPngQuant.c (version string) - src/libImaging/JpegEncode.c (version string) - src/_webp.c (error messages and version string, 4 call sites) This is consistent with the fix applied in CVE-2024-28219 which addressed the same class of vulnerability in font rendering code. Security: CWE-120 (Buffer Copy without Checking Size of Input)
diff --git a/src/_webp.c b/src/_webp.c
@@ -53,10 +53,10 @@ HandleMuxError(WebPMuxError err, char *chunk) {
     // Create the error message
     if (chunk == NULL) {
         message_len =
-            sprintf(message, "could not assemble chunks: %s", kErrorMessages[-err]);
+            snprintf(message, sizeof(message), "could not assemble chunks: %s", kErrorMessages[-err]);
     } else {
-        message_len = sprintf(
-            message, "could not set %.4s chunk: %s", chunk, kErrorMessages[-err]
+        message_len = snprintf(
+            message, sizeof(message), "could not set %.4s chunk: %s", chunk, kErrorMessages[-err]
         );
     }
     if (message_len < 0) {
@@ -649,8 +649,9 @@ WebPEncode_wrapper(PyObject *self, PyObject *args) {
         int error_code = (&pic)->error_code;
         char message[50] = "";
         if (error_code == VP8_ENC_ERROR_BAD_DIMENSION) {
-            sprintf(
+            snprintf(
                 message,
+                sizeof(message),
                 ": Image size exceeds WebP limit of %d pixels",
                 WEBP_MAX_DIMENSION
             );
@@ -743,8 +744,9 @@ const char *
 WebPDecoderVersion_str(void) {
     static char version[20];
     int version_number = WebPGetDecoderVersion();
-    sprintf(
+    snprintf(
         version,
+        sizeof(version),
         "%d.%d.%d",
         version_number >> 16,
         (version_number >> 8) % 0x100,
diff --git a/src/libImaging/JpegEncode.c b/src/libImaging/JpegEncode.c
@@ -402,7 +402,7 @@ ImagingJpegEncode(Imaging im, ImagingCodecState state, UINT8 *buf, int bytes) {
 const char *
 ImagingJpegVersion(void) {
     static char version[20];
-    sprintf(version, "%d.%d", JPEG_LIB_VERSION / 10, JPEG_LIB_VERSION % 10);
+    snprintf(version, sizeof(version), "%d.%d", JPEG_LIB_VERSION / 10, JPEG_LIB_VERSION % 10);
     return version;
 }
 
diff --git a/src/libImaging/QuantPngQuant.c b/src/libImaging/QuantPngQuant.c
@@ -126,7 +126,7 @@ const char *
 ImagingImageQuantVersion(void) {
     static char version[20];
     int number = liq_version();
-    sprintf(version, "%d.%d.%d", number / 10000, (number / 100) % 100, number % 100);
+    snprintf(version, sizeof(version), "%d.%d.%d", number / 10000, (number / 100) % 100, number % 100);
     return version;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -402,7 +402,7 @@ ImagingJpegEncode(Imaging im, ImagingCodecState state, UINT8 *buf, int bytes) {`
`402`	`402`	`const char *`
`403`	`403`	`ImagingJpegVersion(void) {`
`404`	`404`	`static char version[20];`
`405`		`- sprintf(version, "%d.%d", JPEG_LIB_VERSION / 10, JPEG_LIB_VERSION % 10);`
	`405`	`+ snprintf(version, sizeof(version), "%d.%d", JPEG_LIB_VERSION / 10, JPEG_LIB_VERSION % 10);`
`406`	`406`	`return version;`
`407`	`407`	`}`
`408`	`408`
Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@ const char *`
`126`	`126`	`ImagingImageQuantVersion(void) {`
`127`	`127`	`static char version[20];`
`128`	`128`	`int number = liq_version();`
`129`		`- sprintf(version, "%d.%d.%d", number / 10000, (number / 100) % 100, number % 100);`
	`129`	`+ snprintf(version, sizeof(version), "%d.%d.%d", number / 10000, (number / 100) % 100, number % 100);`
`130`	`130`	`return version;`
`131`	`131`	`}`
`132`	`132`