Merge pull request #5 from ActiveState/BE-135-cve-2021-34552

Use snprintf instead of sprintf

CHANGES.rst

@@ -9,6 +9,9 @@ Changelog (Pillow)
 
 - Fix OOB Read in Jpeg2KDecode. CVE 2021-25287, CVE 2021-25288
   [emilieyyu]
+
+- Use snprintf instead of sprintf. CVE-2021-34552
+  [wooken]
   
 6.2.2.1 (2021-10-08)
 ------------------

docs/releasenotes/6.2.2.2.rst

@@ -8,3 +8,5 @@ This release addresses several critical CVEs.
 
 CVE 2021-25287, CVE 2021-25288 has out-of-bounds read in J2kDecode, in 
 j2ku_graya_la.
+
+CVE-2021-34552 -- buffer overflow in Convert.c

src/libImaging/Convert.c

@@ -1618,17 +1618,15 @@ convert(Imaging imOut, Imaging imIn, const char *mode,
             break;
         }
 
-    if (!convert)
+    if (!convert) {
 #ifdef notdef
         return (Imaging) ImagingError_ValueError("conversion not supported");
 #else
-    {
-      static char buf[256];
-      /* FIXME: may overflow if mode is too large */
-      sprintf(buf, "conversion from %s to %s not supported", imIn->mode, mode);
-      return (Imaging) ImagingError_ValueError(buf);
-    }
+        static char buf[100];
+        snprintf(buf, 100, "conversion from %.10s to %.10s not supported", imIn->mode, mode);
+        return (Imaging)ImagingError_ValueError(buf);
 #endif
+    }
 
     imOut = ImagingNew2Dirty(mode, imOut, imIn);
     if (!imOut)
@@ -1681,10 +1679,14 @@ ImagingConvertTransparent(Imaging imIn, const char *mode,
     }
 #else
     {
-      static char buf[256];
-      /* FIXME: may overflow if mode is too large */
-      sprintf(buf, "conversion from %s to %s not supported in convert_transparent", imIn->mode, mode);
-      return (Imaging) ImagingError_ValueError(buf);
+        static char buf[100];
+        snprintf(
+            buf,
+            100,
+            "conversion from %.10s to %.10s not supported in convert_transparent",
+            imIn->mode,
+            mode);
+        return (Imaging)ImagingError_ValueError(buf);
     }
 #endif