v1.8.7-r2 security update

We are releasing a minor update in response to security advisories. Thank you to everyone who reported the issues.

📢 What's New in libsixel-1.9.7-r2

• Additional fix for #222, packed byte-size validation in
  sixel_encoder_encode_bytes() and Python bindings.
  Thanks to @xyzzy42

• tests: add C and Python regression coverage for #222 packed
  encode_bytes() paths.

• Security fix for GHSA-hx93-w8p2-ffh5, integer overflow in high-color
  encoder allocation that can lead to out-of-bounds memory access.
  Based on a patch provided by @curious-rabbit.

• Security fix for GHSA-9jm7-77gr-qghv, integer overflow in SIXEL parser
  repeat/count handling that can lead to out-of-bounds write.
  Based on a patch provided by @curious-rabbit.

• Security fix for GHSA-wpx3-h5g8-qr3w, NULL pointer dereference when
  palette allocation fails during SIXEL decode.
  Based on a patch provided by @curious-rabbit.

v1.8.7-r1 security update

More than seven months have passed since our last release, so we are publishing this minor update. Thank you to everyone who submitted bug reports and security advisories.

Development is currently focused on the develop branch, where we are improving quality by generating a large number of tests with an AI agent.

The develop branch includes improvements to quantization and dithering, band-level parallelization, parallel and pipelined processing for encoding, decoding, and dithering, as well as loader enhancements. Because these significant additions broaden the attack surface, we are strengthening security with static analysis and fuzzing in GitHub Actions; however, stabilization is expected to take some time.

The Dependabot alert issue that was not addressed in v1.8.7 has already been resolved on the develop branch, and the fix is planned for release in v1.8.11.

📢 What's New in libsixel-1.9.7-r1

• Security fix for CVE-2026-33023 (GHSA-hr25-g2j6-qjw6), use-after-free in load_with_gdkpixbuf().
  Thanks to @nicoppida

• Security fix for CVE-2026-33018 (GHSA-w46f-jr9f-rgvp), use-after-free in load_gif().
  Thanks to @nicoppida

• Security fix for CVE-2026-33019 (GHSA-c854-ffg9-g72c), integer overflow that leads to out-of-bounds read in img2sixel.
  Thanks to @nicoppida

• Security fix for CVE-2026-33020 (GHSA-2xgm-4x47-2x2p), integer overflow in write_png_to_file() that leads to heap overflow.
  Thanks to @nicoppida

• Security fix for CVE-2026-33021 (GHSA-j6m5-2cc7-3whc), use-after-free in sixel_encoder_encode_bytes().
  Thanks to @nicoppida

• Security fix for #222, out-of-bounds memory access in packed pixel format copy path.
  Thanks to @xyzzy42

• Security backports and hardening for #220:
  GIF transparent index OOB, per-frame palette compositing, DCS parameter overflow, resize/item5/quant integer overflows, and invalid PNG cleanup path.
  Thanks to @ShangzhiXu

• fix memory leak issue in GIF loader callback path (#207).
  Thanks to @optionGo

• python: fix bugs in sixel_encoder_encode_bytes (#223).
  Thanks to @xyzzy42

• build: make distcheck pass by shipping required fixtures.

v1.8.7 security update

First, my apologies for letting the project stagnate for so long, and my thanks to everyone on the libsixel/libsixel project who continued to deliver security fixes and improvements during my absence.

This repository (saitoha/libsixel) does not yet incorporate everything from libsixel/libsixel. In particular, I am still evaluating whether to adopt Meson for the build system. Reasons include: I currently have no Meson expertise; importing it as-is would eliminate a large number of #ifdefs and likely reduce portability; and I am considering a future port to OpenVMS. I know many people dislike GNU Autotools, so I will keep revisiting the build system choice. The slow ./configure on Windows is a major pain point, but predefining CONFIG_SITE should mitigate it substantially.

On security fixes, my understanding is that the majority are already addressed. A summary of overall progress appears further below in this post. We deferred CVE-2021-46700 (#158), which we have not been able to reproduce, as well as certain Dependabot alerts that appear to have limited impact, for a later release.

📢 What's New in libsixel-1.8.7

• fix invalid pointer access in encoder.c (#193, #195)
  Thanks to @momo-trip, @akinomyoga

• fix wrong HLS to RGB conversion. (#191)
  Thanks to @gnachman, @j4james

• fix NULL pointer dereference problem in img2sixel.c (#192)
  Thanks to @momo-trip, @akinomyoga

• fix double free problem in encoder.c (#194)
  Thanks to @momo-trip

• Serucity fix for #200, heap buffer overflow in debug palette function.
  Thanks to @err2zero

• add EXTRA_DIST for LICENSE files (#129)
  Thanks to @ttdoda

• Travis-ci: added support for ppc64le (#140)
  Thanks to @dthadi3

• export sixel_allocator_new to dll (#151)
  Thanks to @johnnychen94

• README: Add Idris 2 language bindings (#155)
  Thanks to @Kaiepi

• performance: If width and height are unchanged, nothing to do. (#170)
  Thanks to @rokuyama

• README: add MacPorts to install options (#183)
  Thanks to @barracuda156

• fix for bash completion (#189)
  Thanks to @rcorre

• Add backport feature (nanosleep) for windows, github actions CI (#202)
  Thanks to @Kreijstal

• README: update NixOS link (#204)
  Thanks to @max-amb

• build: Remove override of $LIBJPEG_CFLAGS and $LIBJPEG_LIBS set by PKG_CHECK_MODULES()

• fix Problems with the dithering palette calculation (#188)
  Thanks to @gnachman, @j4james

• fix SEGV error in sixel_encoder_setopt (#174)
  Thanks to @shinibufa , @j4james

• curl: send original UserAgent header: "libsixel/${LIBSIXEL_VERSION}"

• fix heap-buffer-overflow in error_diffuse, quant.c:876 #172
  Thanks to @waugustus

• fix Heap-buffer-overflow in scale.c:214 #179
  Thanks to @chameleon10712, @j4james

• build: fallback support for environments without pkg-config.

• fix double-free problem in loader.c (#150)
  Thanks to @duytai, @ctrlcctrlv

• fix an assertion issue in stbi__create_png_image_raw (#163)
  Thanks to @kdsjZh, @dankamongmen

• Update stb_image.h from upstream to version 2.30
  THanks to @hzeller

• Update examples/drawing: add SGR-Pixels mode

• fix a problem on monochromatic encoded (-e) output (#112)
  Thanks to @interkosmos, @j4james

• fix a FPE issue (#166, #167)
  Thanks to @waugustus, @j4james

• cli: fix a scaling issue introduced in v1.6.1, which is caused
  when one of -w/-h is a percentage and the other is unset or "auto"

• fix a memory leak ploblem (#164)
  Thanks to @muetzenmann, @j4james

🛡️ libsixel Security Overview (CVE + Dependabot)

All CVEs reported for libsixel (2018–2025, including stb_image leftovers)

CVE	Short Description	Fix Status (S = saitoha/libsixel / L = libsixel/libsixel fork)	S: Issues / PRs	L: Issues / PRs	Debian / Downstream Status	Notes
CVE-2025-9300 (NVD)	img2sixel: sixel_debug_print_palette stack/heap boundary error	S: ✅ fixed (316c086)	Issues: #200	–	Vulnerable (no DSA)	New in 2025; S fixed on master via #200 / 316c086; L archived.
CVE-2023-45661 (NVD)	stb_image: OOB memcpy read in stbi__gif_load_next (GIF)	S: ✅ Not Affected (stb ≥2.30 (vendored))	–	–	Vulnerable (libstb)	libsixel provides its own gif_load_next() and we have verified it is unaffected; historically, when stb_image.h lacked animated gif support, we moved the gif loader to src/fromgif.c and have maintained it independently.
CVE-2023-43898 (NVD)	stb_image: NULL deref in stbi__convert_format (PICT)	S: ✅ fixed (stb 2.28)	–	–	Vulnerable (libstb)
CVE-2022-29978 (NVD)	FPE in sixel_encoder_do_resize	S: ✅ fixed (07ab235) / L: 🟡 in progress	Issues: #166, #167	Issues: #60, #61, #63	Vulnerable (postponed/No-DSA)	Debian postponed.
CVE-2022-29977 (NVD)	Assertion failure in stb JPEG huffman decode (stb_image)	S: ✅ fixed (1c58a6e) / L: ✅ fixed (138b4ee)	Issues: #165, #159	Issues: #62 / PRs: #83	Vulnerable (postponed/No-DSA)	Debian postponed; L has #63.
CVE-2022-28042 (NVD)	stb_image: heap use-after-free in stbi__jpeg_huff_decode (v2.27)	S: ✅ fixed (stb 2.28)	–	–	Vulnerable (libstb)
CVE-2022-28041 (NVD)	stb_image: integer overflow in stbi__jpeg_decode_block_prog_dc (v2.27)	S: ✅ fixed (stb 2.28.)	–	–	Vulnerable (libstb)
CVE-2022-27046 (NVD)	Use-after-free in dither.c:388	S: ✅ fixed (98189b8) / L: ✅ fixed (d299d67)	Issues: #157	Issues: #27 / PRs: #28	Fixed (bookworm+)	Fixed in L via #28; Debian fixed in bookworm+.
CVE-2022-27044 (NVD)	Buffer overflow in quant.c	S: ✅ fixed (39c2de0) / L: ✅ fixed (dc96cdc)	Issues: #172	Issues: #25 / PRs: #26	Fixed (bookworm+)	Debian marks fixed; L fixed in 1.10.x.
CVE-2021-46700 (NVD)	Double-free in sixel_encoder_output_without_macro	S: 🟡 can not reproduced in our side	Issues: #158	–	Vulnerable (no DSA)	—
CVE-2021-45340 (NVD)	stb_image: NULL deref (PICT)	S: ✅ fixed (stb 2.26) (1c58a6e) / L: ✅ fixed (138b4ee)	Issues: #160	Issues: #73, #51 / PRs: #52	Vulnerable (ignored)	Handled historically via stb bump to 2.26 in L.
CVE-2021-41715 (NVD)	Use-after-free in dither.c:379	S: ✅ fixed (98189b8) / L: ✅ fixed (d299d67)	Issues: #157	Issues: #27 / PRs: #28	Fixed (bookworm+)	Fixed in libsixel/libsixel (archived 2025-02-12); backport to S as needed
CVE-2021-40656 (NVD)	Buffer overflow in quant.c:867 (<1.10)	S: ✅ fixed (39c2de0) / L: ✅ fixed (dc96cdc)	Issues: #156, #172	Issues: #25	Fixed (bookworm+)	—
**CVE-...

libsixel Nightly

Nightly from multiple branches/OS. Generated on 2025-12-04T02:09:55Z (UTC)

v1.8.6 build fixes

• python: Fix broken python interface problem(#128), reported by @fd00.
• build: Introduce VPATH build support(#56), suggested by @tkelman.

v1.8.5 security update

• Security fix for CVE-2019-20205 (#127), integer overflow problem,
  reported by @sleicasper.

• Security fix for CVE-2019-20056 (#126), assertion failure problem,
  reported by @sleicasper.

• Security fix for CVE-2019-20094 (#125), heap overflow problem,
  reported by @cuanduo.

• Security fix for #124, illegal longjump() call problem,
  reported by @cuanduo.

• Serucity fix for #74 and #123, access violation problem,
  reported by @hongxuchen and SuhwanSong.

• Security fix for #122, heap overflow problem,
  reported by @SuhwanSong.

• Security fix for CVE-2019-20023(#117, #119, #120), memory leaks problem,
  reported by @SuhwanSong and @gutiniao.

• Strip first flag check in LZW compression function for issue #118,
  reported by @yoichi

For more details, see below summary of vulnerabilities.

No.	assigned CVE	PR	patch	status	fixed on	comment
#67	CVE-2018-14072 CVE-2018-14073	-	f94bc6f 84ed0bc	resolved	v1.8.2
#68	-	-	6a19d99 94a647c	resolved	v1.8.2
#69	-	-	0d70e04	resolved	v1.8.2
#70	-	-	438188c	resolved	v1.8.2
#71	-	-	01c0bad ba21bb9	resolved	v1.8.2
#72	-	-	570d6ae	released	v1.8.3
#73	-	-	cb373ab 26ac06f	resolved	v1.8.4
#74	-	-	0b1e0b3	resolved	v1.8.5
#75	-	-	7808a06	resolved	v1.8.3
#76	-	-	e3a4c0e 3c071b9 d7b2600 197d025	partially resolved	partially fixed on v1.8.3
#77	CVE-2018-19759	#98	5f64fb1	resolved	v1.8.3
#78	CVE-2018-19761	(#106)	(1377517)	resolved	v1.8.3	*same as #105
#79	CVE-2018-19757	#91 #94	e903c93 a53c872	resolved	v1.8.3
#80	CVE-2018-19756	#93	d6e34fc	resolved	v1.8.3
#81	CVE-2018-19762	#92	9861272	resolved	v1.8.3
#82	CVE-2018-19763	#95	614e761	resolved	v1.8.3
#83	CVE-2019-3573 CVE-2019-3574	#99	9c013f2 68ecbc1	resolved	v1.8.3
#85	CVE-2019-11024	-	b418f35	resolved	v1.8.4
#88	-	-	7808a06	resolved	v1.8.3
#89	-	-	a516125	resolved	v1.8.4
#90	-	-	(1377517)	resolved	v1.8.3	*same as #105
#97	-	-	(1377517)	resolved	v1.8.3	*same as #105
#102	CVE-2019-19638	#106	e17c076	resolved	v1.8.3
#103	CVE-2019-19635	#106	1377517	resolved	v1.8.3
#104	CVE-2019-19636	#106	bf46a7b	resolved	v1.8.3
#105	CVE-2019-19637	#106	1377517	resolved	v1.8.3
#107	-	-	1d35033	resolved	v1.8.4
#108	(CVE-2019-19638)	(#106)	(e17c076)	resolved	v1.8.3	*same as #102
#109	CVE-2019-19777	(#93)	(d6e34fc)	resolved	v1.8.3	*same as #80
#110	CVE-2019-19778	(#95)	(614e761)	resolved	v1.8.3	*same as #82
#111	-	(#106)	(1377517)	resolved	v1.8.3	*same as #105
#113	-	(#93)	(aac1df6)	resolved	v1.8.3	*same as #80
#114	-	-	(9d0a7ff)	resolved	v1.8.4	*same as #116
#116	-	-	9d0a7ff	resolved	v1.8.4
#117	CVE-2019-20023	-	b9a4175	resolved	v1.8.5
#118	-	-	6367d2f	resolved	v1.8.4
#119	(CVE-2019-20023)	-	b9a4175	resolved	1.8.5	*same as #117
#120	(CVE-2019-20023)	-	b9a4175	resolved	1.8.5	*same as #117
#121	-		(6367d2f)	resolved	v1.8.4	*same as #118
#122	-		598c8c8	resolved	v1.8.5
#123	-		(0b1e0b3)	resolved	v1.8.5	*same as #74
#124	-		c1ef812	resolved	v1.8.5
#125	CVE-2019-20094		a18b378	resolved	v1.8.5
#126	CVE-2019-20096		814f831	resolved	v1.8.5
#127	CVE-2019-20095		5543354	resolved	v1.8.5

v1.8.4 security update

• Security fix for CVE-2019-11024 (#85), recursive loop problem,
  reported by @Loginsoft-Research.

• Security fix for #73, illegal memory access problem,
  reported by @hongxuchen.

• Security fix for #89, core dumped issue,
  reported by @niugx.

• Security fix for #107, large memory allocation problem,
  reported by @cuanduo.

• Security fix for #114, heap-buffer-overflow problem,
  reported by @SuhwanSong.

• Security fix for #116, heap-buffer-overflow problem,
  reported by @SuhwanSong.

• Security fix for #118, heap-buffer-overflow problem,
  reported by @SuhwanSong.

• Security fix for #121, heap-buffer-overflow problem,
  reported by @gutiniao

For more details, see below summary of vulnerabilities.

No.	assigned CVE	PR	patch	status	fixed on	comment
#67	CVE-2018-14072 CVE-2018-14073	-	f94bc6f 84ed0bc	resolved	v1.8.2
#68	-	-	6a19d99 94a647c	resolved	v1.8.2
#69	-	-	0d70e04	resolved	v1.8.2
#70	-	-	438188c	resolved	v1.8.2
#71	-	-	01c0bad ba21bb9	resolved	v1.8.2
#72	-	-	570d6ae	released	v1.8.3
#73	-	-	cb373ab 26ac06f	resolved	v1.8.4
#74	-	-	-	not resolved	-
#75	-	-	7808a06	resolved	v1.8.3
#76	-	-	e3a4c0e 3c071b9 d7b2600 197d025	partially resolved	partially fixed on v1.8.3
#77	CVE-2018-19759	#98	5f64fb1	resolved	v1.8.3
#78	CVE-2018-19761	(#106)	(1377517)	resolved	v1.8.3	*same as #105
#79	CVE-2018-19757	#91 #94	e903c93 a53c872	resolved	v1.8.3
#80	CVE-2018-19756	#93	d6e34fc	resolved	v1.8.3
#81	CVE-2018-19762	#92	9861272	resolved	v1.8.3
#82	CVE-2018-19763	#95	614e761	resolved	v1.8.3
#83	CVE-2019-3573 CVE-2019-3574	#99	9c013f2 68ecbc1	resolved	v1.8.3
#85	CVE-2019-11024	-	b418f35	resolved	v1.8.4
#88	-	-	7808a06	resolved	v1.8.3
#89	-	-	a516125	resolved	v1.8.4
#90	-	-	(1377517)	resolved	v1.8.3	*same as #105
#97	-	-	(1377517)	resolved	v1.8.3	*same as #105
#102	CVE-2019-19638	#106	e17c076	resolved	v1.8.3
#103	CVE-2019-19635	#106	1377517	resolved	v1.8.3
#104	CVE-2019-19636	#106	bf46a7b	resolved	v1.8.3
#105	CVE-2019-19637	#106	1377517	resolved	v1.8.3
#107	-	-	1d35033	resolved	v1.8.4
#108	(CVE-2019-19638)	(#106)	(e17c076)	resolved	v1.8.3	*same as #102
#109	CVE-2019-19777	(#93)	(d6e34fc)	resolved	v1.8.3	*same as #80
#110	CVE-2019-19778	(#95)	(614e761)	resolved	v1.8.3	*same as #82
#111	-	(#106)	(1377517)	resolved	v1.8.3	*same as #105
#113	-	(#93)	(aac1df6)	resolved	v1.8.3	*same as #80
#114	-	-	(9d0a7ff)	resolved	v1.8.4	*same as #116
#116	-	-	9d0a7ff	resolved	v1.8.4
#117	-	-	b9a4175	patched	-
#118	-	-	6367d2f	resolved	v1.8.4
#119	-	-	b9a4175	patched	-	*same as #117
#120	-	-	b9a4175	patched	-	*same as #117
#121	-		(6367d2f)	resolved	v1.8.4	*same as

Security fix release

• Security fix for CVE-2018-19757 (#79), NULL pointer dereference problem,
  reported by @nluedtke and fixed by @knok (#91, #94).

• Security fix for CVE-2018-19762 (#81), heap-based buffer overflow problem,
  reported by @nluedtke and fixed by @knok (#92).

• Security fix for CVE-2018-19756 (#80), heap-based buffer over-read problem,
  reported by @nluedtke and fixed by @knok (#93).

• Security fix for CVE-2018-19763 (#82, reported by @nluedtke) and CVE-2019-19778 (#110, reported by @SuhwanSong),
  heap-based buffer over-read problem, fixed by @knok (#95).

• Security fix for CVE-2018-19761, illegal address access, fixed by @knok (#96).

• Security fix for CVE-2018-19759, heap-based buffer over-read problem, fixed by @knok (#98).

• Security fix for CVE-2019-3753 (#83), infinite loop problem,
  reported by @cool-tomato and fixed by @knok (#99).

• Security fix for CVE-2018-19759 (#102),
  heap-based buffer over-read that will cause a denial of service.
  reported and fixed by @YourButterfly. (#106)

• Security fix for CVE-2019-19635 (#103), heap-based buffer overflow,
  reported and fixed by @YourButterfly. (#106)

• Security fix for CVE-2019-19636 (#104) and CVE-2019-19637 (#105), integer overflow problem.
  reported and fixed by @YourButterfly. (#106)

• gif loader: check LZW code size (Issue #75), Thanks to @hongxuchen.
  7808a06

• core: Fix a global-buffer-overflow problem (Issue #72), Thanks to @fgeek.
  c868b59

• core: Fix unexpected hangs/performance issues (Issue #76), Thanks to @hongxuchen.
  88561b7
  2d3d9ff
  c9363cd

v1.8.2

This release provides some security updates.

• core: Fix memory leak problems(#67, CVE-2018-14072, CVE-2018-14073), thanks to @fCorleone.
  f94bc6f
  84ed0bc

• core: Fix some heap buffer-overflow problems(#68, #69, #70, #71), thanks to @fgeek.
  6a19d99
  0d70e04
  438188c
  ba21bb9

• man: Fix a typo (#66), thanks to @tsutsui.
  cf47281

libsixel-1.8.1 Bug-fix release

v1.8.1 includes an important bug fix.
600f122