Fix integer overflow in quantize_pngquant() and replace sprintf

Your Name · Your Name · commit 9ff51ff643e3 · 2026-03-19T16:52:05.000Z
- Add overflow check for width * height before malloc() to prevent heap buffer overflow when the product exceeds UINT_MAX - Use size_t for total_pixels to ensure correct arithmetic on 64-bit - Replace sprintf with snprintf (consistent with CVE-2024-28219 fix) Security: CWE-190 (Integer Overflow) -> CWE-122 (Heap Buffer Overflow)
diff --git a/src/libImaging/QuantPngQuant.c b/src/libImaging/QuantPngQuant.c
@@ -8,6 +8,7 @@
  *
  */
 
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -39,6 +40,13 @@ quantize_pngquant(
     *paletteLength = 0;
     *quantizedPixels = NULL;
 
+    /* Check for integer overflow in width * height to prevent
+     * undersized allocations leading to heap buffer overflow. */
+    if (height != 0 && (size_t)width > SIZE_MAX / (size_t)height) {
+        goto err;
+    }
+    size_t total_pixels = (size_t)width * (size_t)height;
+
     /* configure pngquant */
     attr = liq_attr_create();
     if (!attr) {
@@ -77,7 +85,7 @@ quantize_pngquant(
     }
 
     /* write output pixels (pngquant uses char array) */
-    charMatrix = malloc(width * height);
+    charMatrix = malloc(total_pixels);
     if (!charMatrix) {
         goto err;
     }
@@ -86,18 +94,18 @@ quantize_pngquant(
         goto err;
     }
     for (y = 0; y < height; y++) {
-        charMatrixRows[y] = &charMatrix[y * width];
+        charMatrixRows[y] = &charMatrix[(size_t)y * width];
     }
     if (LIQ_OK != liq_write_remapped_image_rows(remap, image, charMatrixRows)) {
         goto err;
     }
 
     /* transcribe output pixels (pillow uses uint32_t array) */
-    *quantizedPixels = malloc(sizeof(uint32_t) * width * height);
+    *quantizedPixels = malloc(sizeof(uint32_t) * total_pixels);
     if (!*quantizedPixels) {
         goto err;
     }
-    for (i = 0; i < width * height; i++) {
+    for (i = 0; i < total_pixels; i++) {
         (*quantizedPixels)[i] = charMatrix[i];
     }
 
@@ -126,7 +134,7 @@ const char *
 ImagingImageQuantVersion(void) {
     static char version[20];
     int number = liq_version();
-    sprintf(version, "%d.%d.%d", number / 10000, (number / 100) % 100, number % 100);
+    snprintf(version, sizeof(version), "%d.%d.%d", number / 10000, (number / 100) % 100, number % 100);
     return version;
 }
 
