Saitoh

**Name of the Vulnerable Software and Affected Versions** libsixel versions prior to 1.8.7-r2 **Description** A signed integer overflow exists in the allocation size calculation of the `sixel encode highcolor()` function. The `sixel encode` entry point only verifies that width and height are greater than zero without enforcing an upper bound. When these values are multiplied as plain integers to compute the allocation size for `paletted pixels` and `normalized pixels`, a product exceeding INT MAX (approximately 2.15 billion) causes the allocation size to wrap. This results in a heap buffer overflow when the encoder writes data beyond the end of the undersized buffer allocated by malloc. **Recommendations** Update to version 1.8.7-r2.