First, my apologies for letting the project stagnate for so long, and my thanks to everyone on the libsixel/libsixel project who continued to deliver security fixes and improvements during my absence.

This repository (saitoha/libsixel) does not yet incorporate everything from libsixel/libsixel. In particular, I am still evaluating whether to adopt Meson for the build system. Reasons include: I currently have no Meson expertise; importing it as-is would eliminate a large number of #ifdefs and likely reduce portability; and I am considering a future port to OpenVMS. I know many people dislike GNU Autotools, so I will keep revisiting the build system choice. The slow ./configure on Windows is a major pain point, but predefining CONFIG_SITE should mitigate it substantially.

On security fixes, my understanding is that the majority are already addressed. A summary of overall progress appears further below in this post. We deferred CVE-2021-46700 (#158), which we have not been able to reproduce, as well as certain Dependabot alerts that appear to have limited impact, for a later release.

📢 What's New in libsixel-1.8.7

• fix invalid pointer access in encoder.c (#193, #195)
  Thanks to @momo-trip, @akinomyoga

• fix wrong HLS to RGB conversion. (#191)
  Thanks to @gnachman, @j4james

• fix NULL pointer dereference problem in img2sixel.c (#192)
  Thanks to @momo-trip, @akinomyoga

• fix double free problem in encoder.c (#194)
  Thanks to @momo-trip

• Serucity fix for #200, heap buffer overflow in debug palette function.
  Thanks to @err2zero

• add EXTRA_DIST for LICENSE files (#129)
  Thanks to @ttdoda

• Travis-ci: added support for ppc64le (#140)
  Thanks to @dthadi3

• export sixel_allocator_new to dll (#151)
  Thanks to @johnnychen94

• README: Add Idris 2 language bindings (#155)
  Thanks to @Kaiepi

• performance: If width and height are unchanged, nothing to do. (#170)
  Thanks to @rokuyama

• README: add MacPorts to install options (#183)
  Thanks to @barracuda156

• fix for bash completion (#189)
  Thanks to @rcorre

• Add backport feature (nanosleep) for windows, github actions CI (#202)
  Thanks to @Kreijstal

• README: update NixOS link (#204)
  Thanks to @max-amb

• build: Remove override of $LIBJPEG_CFLAGS and $LIBJPEG_LIBS set by PKG_CHECK_MODULES()

• fix Problems with the dithering palette calculation (#188)
  Thanks to @gnachman, @j4james

• fix SEGV error in sixel_encoder_setopt (#174)
  Thanks to @shinibufa , @j4james

• curl: send original UserAgent header: "libsixel/${LIBSIXEL_VERSION}"

• fix heap-buffer-overflow in error_diffuse, quant.c:876 #172
  Thanks to @waugustus

• fix Heap-buffer-overflow in scale.c:214 #179
  Thanks to @chameleon10712, @j4james

• build: fallback support for environments without pkg-config.

• fix double-free problem in loader.c (#150)
  Thanks to @duytai, @ctrlcctrlv

• fix an assertion issue in stbi__create_png_image_raw (#163)
  Thanks to @kdsjZh, @dankamongmen

• Update stb_image.h from upstream to version 2.30
  THanks to @hzeller

• Update examples/drawing: add SGR-Pixels mode

• fix a problem on monochromatic encoded (-e) output (#112)
  Thanks to @interkosmos, @j4james

• fix a FPE issue (#166, #167)
  Thanks to @waugustus, @j4james

• cli: fix a scaling issue introduced in v1.6.1, which is caused
  when one of -w/-h is a percentage and the other is unset or "auto"

• fix a memory leak ploblem (#164)
  Thanks to @muetzenmann, @j4james

🛡️ libsixel Security Overview (CVE + Dependabot)

All CVEs reported for libsixel (2018–2025, including stb_image leftovers)

Nightly from multiple branches/OS. Generated on 2025-12-04T02:09:55Z (UTC)

• python: Fix broken python interface problem(#128), reported by @fd00.
• build: Introduce VPATH build support(#56), suggested by @tkelman.

• Security fix for CVE-2019-20205 (#127), integer overflow problem,
  reported by @sleicasper.

• Security fix for CVE-2019-20056 (#126), assertion failure problem,
  reported by @sleicasper.

• Security fix for CVE-2019-20094 (#125), heap overflow problem,
  reported by @cuanduo.

• Security fix for #124, illegal longjump() call problem,
  reported by @cuanduo.

• Serucity fix for #74 and #123, access violation problem,
  reported by @hongxuchen and SuhwanSong.

• Security fix for #122, heap overflow problem,
  reported by @SuhwanSong.

• Security fix for CVE-2019-20023(#117, #119, #120), memory leaks problem,
  reported by @SuhwanSong and @gutiniao.

• Strip first flag check in LZW compression function for issue #118,
  reported by @yoichi

For more details, see below summary of vulnerabilities.

• Security fix for CVE-2019-11024 (#85), recursive loop problem,
  reported by @Loginsoft-Research.

• Security fix for #73, illegal memory access problem,
  reported by @hongxuchen.

• Security fix for #89, core dumped issue,
  reported by @niugx.

• Security fix for #107, large memory allocation problem,
  reported by @cuanduo.

• Security fix for #114, heap-buffer-overflow problem,
  reported by @SuhwanSong.

• Security fix for #116, heap-buffer-overflow problem,
  reported by @SuhwanSong.

• Security fix for #118, heap-buffer-overflow problem,
  reported by @SuhwanSong.

• Security fix for #121, heap-buffer-overflow problem,
  reported by @gutiniao

For more details, see below summary of vulnerabilities.

• Security fix for CVE-2018-19757 (#79), NULL pointer dereference problem,
  reported by @nluedtke and fixed by @knok (#91, #94).

• Security fix for CVE-2018-19762 (#81), heap-based buffer overflow problem,
  reported by @nluedtke and fixed by @knok (#92).

• Security fix for CVE-2018-19756 (#80), heap-based buffer over-read problem,
  reported by @nluedtke and fixed by @knok (#93).

• Security fix for CVE-2018-19763 (#82, reported by @nluedtke) and CVE-2019-19778 (#110, reported by @SuhwanSong),
  heap-based buffer over-read problem, fixed by @knok (#95).

• Security fix for CVE-2018-19761, illegal address access, fixed by @knok (#96).

• Security fix for CVE-2018-19759, heap-based buffer over-read problem, fixed by @knok (#98).

• Security fix for CVE-2019-3753 (#83), infinite loop problem,
  reported by @cool-tomato and fixed by @knok (#99).

• Security fix for CVE-2018-19759 (#102),
  heap-based buffer over-read that will cause a denial of service.
  reported and fixed by @YourButterfly. (#106)

• Security fix for CVE-2019-19635 (#103), heap-based buffer overflow,
  reported and fixed by @YourButterfly. (#106)

• Security fix for CVE-2019-19636 (#104) and CVE-2019-19637 (#105), integer overflow problem.
  reported and fixed by @YourButterfly. (#106)

• gif loader: check LZW code size (Issue #75), Thanks to @hongxuchen.
  7808a06

• core: Fix a global-buffer-overflow problem (Issue #72), Thanks to @fgeek.
  c868b59

• core: Fix unexpected hangs/performance issues (Issue #76), Thanks to @hongxuchen.
  88561b7
  2d3d9ff
  c9363cd

This release provides some security updates.

• core: Fix memory leak problems(#67, CVE-2018-14072, CVE-2018-14073), thanks to @fCorleone.
  f94bc6f
  84ed0bc

• core: Fix some heap buffer-overflow problems(#68, #69, #70, #71), thanks to @fgeek.
  6a19d99
  0d70e04
  438188c
  ba21bb9

• man: Fix a typo (#66), thanks to @tsutsui.
  cf47281

v1.8.1 includes an important bug fix.
600f122

              ------------------------------
               What's new in libsixel-1.8 ?
              ------------------------------

• core: Upgrade stb_image to 2.19.

• core: Introduce new dithering method, a_dither / x_dither (http://pippin.gimp.org/a_dither/).
  Thanks to @hodefoting.
  #53

• core: Fix wrong HLS color handling.
  0fb35d2

• core: Improve quality of 15bpp(hi-color mode) dither.
  42f3428

• img2sixel: Allow a deferred clear code in a GIF format
  GIF decoder must do nothing when the table is full.
  See Section "DEFERRED CLEAR CODE IN LZW COMPRESSION" in
  https://www.w3.org/Graphics/GIF/spec-gif89a.txt.
  Thanks to @mame.
  #63

• img2sixel: Marks -D option (read source images from stdin continuously) as deprecated
  9c8ffa6

• Some bug fixes and minor improvements.
  Thanks to @set135, @ttdoda.

• Announcement for package maintainers:
  Immutable tarball is provided, because GitHub auto-generated tarball may be not immutable.

  https://github.com/saitoha/libsixel/releases/download/v1.8.0/libsixel-1.8.0.tar.gz

  For details, see #64 .

We additionally provide immutable tarball:
https://github.com/saitoha/libsixel/releases/download/v1.7.3/libsixel-1.7.3.tar.gz

According to Issue #64, GitHub auto-generated tarball(https://github.com/saitoha/libsixel/archive/v1.7.3.tar.gz) may be not immutable.