Aitoha

**Name of the Vulnerable Software and Affected Versions** libsixel versions prior to 1.8.7-r2 **Description** A signed integer overflow exists in the SIXEL parser's image-buffer doubling loop. The `context->pos x` variable increases by `repeat count` for every sixel character without an upper bound check. When `pos x` approaches INT MAX, the expression `pos x + repeat count` used to size the image buffer overflows. This can bypass the resize check intended to reject oversized buffers, allowing a subsequent write to use a large attacker-influenced offset in `image->data` and write past the allocation. This issue is reachable via any caller that decodes attacker-supplied SIXEL data, such as `img2sixel`, and occurs within the `sixel decode raw impl()` function. **Recommendations** Update to version 1.8.7-r2.