This bug corresponds to the upstream Issue https://github.com/TigerVNC/tigervnc/pull/378:
"The hextileDecodexx functions do not properly check for out-of-bounds pixel buffer writes,
which allows a malicious server to overwrite parts of the stack."
I haven't been able to reproduce any original problem (4.7.0 and nightly clients behave the same). I can confirm that the code referenced in the pull request is present in our source code repositories.