In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.
https://www.debian.org/security/2022/dsa-5276
https://lists.debian.org/debian-lts-announce/2022/11/msg00008.html