libsixel Integer Overflow Leads to Heap OOB Read, Info Disclosure

The National Vulnerability Database (NVD) has detailed CVE-2026-33019, a high-severity integer overflow vulnerability in libsixel, a popular SIXEL encoder/decoder implementation. Affecting versions 1.8.7 and prior, this flaw allows for an out-of-bounds heap read within the img2sixel utility, specifically when handling the --crop option.

The core issue, as reported by the NVD, lies in the absence of overflow-safe bounds checking for positive coordinates up to INT_MAX. When a malicious clip_x value of INT_MAX is supplied to sixel_encoder_do_clip(), the expression clip_w + clip_x overflows, resulting in a large negative value. This bypasses critical bounds guards, enabling an unclamped coordinate to be passed to sixel_frame_clip() and subsequently clip(). The consequence is a source pointer computed far beyond the image buffer, leading memmove() to access memory it shouldn’t. An attacker can leverage this by providing a specially crafted crop argument with any valid image, triggering a reliable crash and, more critically, potential information disclosure from the heap. This critical vulnerability has been addressed in version 1.8.7-r1.