I'm still on 5.9, so unsure if 6.0 has moved on to 0.8.20, but if it hasn't, here is the relevant ports patch (as per the irssi github pull request).
Ref: https://irssi.org/security/irssi_sa_2016.txt "Seems legit." Tor $ cat /usr/ports/net/irssi/patches/patch-src_fe-common_formats_c --- src/fe-common/core/formats.c.orig Sat Oct 11 10:42:36 2014 +++ src/fe-common/core/formats.c Fri Nov 25 15:18:29 2016 @@ -131,6 +131,8 @@ unsigned char rgbx[4]; unsigned int i; for (i = 0; i < 4; ++i) { + if ((*ptr)[i + off] == '\0') + return; rgbx[i] = (*ptr)[i + off]; } rgbx[3] -= 0x20; @@ -1354,6 +1356,8 @@ bgcolor = *ptr==(char)0xff ? -1 : *ptr-'0'; } } + if (*ptr == '\0') + break; ptr++; break; case 6:
