{"id":"CVE-2020-21049","details":"An invalid read in the stb_image.h component of libsixel prior to v1.8.5 allows attackers to cause a denial of service (DOS) via a crafted PSD file.","modified":"2026-04-11T09:46:20.669655Z","published":"2021-09-14T16:15:08.773Z","references":[{"type":"ADVISORY","url":"https://github.com/saitoha/libsixel/blob/master/ChangeLog"},{"type":"ADVISORY","url":"https://github.com/saitoha/libsixel/releases/tag/v1.8.5"},{"type":"FIX","url":"https://bitbucket.org/netbsd/pkgsrc/commits/970a81d31ec7498e04d09b6b7771cef35f63cd28"},{"type":"FIX","url":"https://github.com/saitoha/libsixel/commit/0b1e0b3f7b44233f84e5c9f512f8c90d6bbbe33d"},{"type":"FIX","url":"https://github.com/saitoha/libsixel/issues/74"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/saitoha/libsixel","events":[{"introduced":"0"},{"fixed":"933670340dcd51e41d014d83e8d693688605b773"},{"fixed":"0b1e0b3f7b44233f84e5c9f512f8c90d6bbbe33d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.8.5"}]}}],"versions":["v0.14.0","v0.15.0","v0.16.0","v0.16.1","v0.17.0","v0.17.1","v0.17.2","v0.18.0","v0.19.2","v0.19.3","v0.19.4","v0.19.5","v0.19.6","v0.20.0","v0.21.0","v0.21.1","v0.22.0","v0.22.1","v0.22.2","v0.22.3","v0.23.0","v0.23.1","v0.23.2","v0.24.0","v0.24.2","v0.25.0","v0.25.1","v0.25.2","v0.25.3","v0.25.4","v0.25.5","v0.26.0","v0.27.0","v0.27.1","v0.28.0","v1.0.0","v1.0.1","v1.0.2","v1.1.0","v1.1.1","v1.1.2","v1.3.1","v1.3.2","v1.3.3","v1.3.4","v1.3.5","v1.3.6","v1.4.0","v1.4.1","v1.4.10","v1.4.11","v1.4.12","v1.4.13","v1.4.2","v1.4.3","v1.4.4","v1.4.5","v1.4.6","v1.4.7","v1.4.8","v1.4.9","v1.5.0","v1.5.1","v1.5.2","v1.6.1","v1.7.1","v1.7.2","v1.7.3","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v1.8.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-21049.json","vanir_signatures_modified":"2026-04-11T09:46:20Z","vanir_signatures":[{"id":"CVE-2020-21049-300c1a47","signature_version":"v1","target":{"function":"sixel_allocator_calloc","file":"src/allocator.c"},"signature_type":"Function","deprecated":false,"digest":{"length":167,"function_hash":"14053531760985046976932775092926153829"},"source":"https://github.com/saitoha/libsixel/commit/0b1e0b3f7b44233f84e5c9f512f8c90d6bbbe33d"},{"id":"CVE-2020-21049-7516b542","signature_version":"v1","target":{"function":"sixel_allocator_malloc","file":"src/allocator.c"},"signature_type":"Function","deprecated":false,"digest":{"length":241,"function_hash":"248279636798139373860926751670000785549"},"source":"https://github.com/saitoha/libsixel/commit/0b1e0b3f7b44233f84e5c9f512f8c90d6bbbe33d"},{"id":"CVE-2020-21049-b7c03e43","signature_version":"v1","target":{"file":"src/allocator.c"},"signature_type":"Line","deprecated":false,"digest":{"line_hashes":["299830155393860697827618934141247146061","146241829523233735463078974435060176264","191065237130737033539251958551560897080","255871072765999720124756059089290237367","281717664013545157945889816801227351691","316609583128505174457879902511827517585","6672221964126041590966727542731475682","230878957094134071707425572935432296593","292521596394687844652728527156577949240","197698837200332871525583239750484894218","184766815279878921875648068209369119125","315197971923010764043084752149568680299","19596710656843220683553100070881730290"],"threshold":0.9},"source":"https://github.com/saitoha/libsixel/commit/0b1e0b3f7b44233f84e5c9f512f8c90d6bbbe33d"},{"id":"CVE-2020-21049-eca8721e","signature_version":"v1","target":{"function":"sixel_allocator_realloc","file":"src/allocator.c"},"signature_type":"Function","deprecated":false,"digest":{"length":171,"function_hash":"265876843441913872333024852228689490945"},"source":"https://github.com/saitoha/libsixel/commit/0b1e0b3f7b44233f84e5c9f512f8c90d6bbbe33d"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}