Libsixel Integer Overflow Leads to Heap Corruption

The National Vulnerability Database (NVD) has disclosed CVE-2026-33020, a high-severity integer overflow vulnerability impacting libsixel, a popular SIXEL encoder/decoder library. According to the NVD, versions 1.8.7 and earlier of libsixel are susceptible to a heap buffer overflow due to flawed arithmetic in the sixel_frame_convert_to_rgb888() function within frame.c. This flaw specifically affects palettized images (PAL1, PAL2, PAL4) where allocation size and pointer offset calculations use int arithmetic before being cast to size_t.

When processing images with a pixel count exceeding INT_MAX / 4, this integer overflow results in an undersized heap allocation for the conversion buffer. Compounding the issue, a negative pointer offset is generated for the normalization sub-buffer. Subsequently, sixel_helper_normalize_pixelformat() attempts to write the full image data starting from this invalid pointer, leading to significant heap corruption. The NVD confirms this behavior through ASAN (AddressSanitizer) findings, indicating a reliable crash and the potential for arbitrary code execution if an attacker provides a specially crafted large palettized PNG image. The issue has been addressed in version 1.8.7-r1.