oss-sec mailing list archives
Null Pointer Dereference in HarfBuzz
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Sat, 10 Jan 2026 17:54:38 -0800
https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww advises:
HarfBuzz Null Pointer Dereference Vulnerability Report
======================================================
Summary
-------
Affected Version: HarfBuzz 12.3.0 (earlier versions may also be affected)
CWE: CWE-476 (NULL Pointer Dereference)
Impact: DoS (Denial of Service)
Vulnerable Function: OT::SubtableUnicodesCache::create()
Vulnerable File: src/hb-ot-cmap-table.hh:1672-1673
1. Background
This vulnerability occurs in the SubtableUnicodesCache::create function
executed by hb_subset_preprocess. This function generates accelerator data
for the cmap table to improve font subsetting performance.
HarfBuzz uses failing-alloc.c to simulate memory allocation failures in
fuzzing environments. This file overrides the hb_malloc_impl function to
return NULL with a probability of 1/16:
void* hb_malloc_impl (size_t size)
{
return (fastrand () % 16) ? malloc (size) : NULL;
}
2. Vulnerability Description and Impact
Description
-----------
A null pointer dereference vulnerability exists in the
SubtableUnicodesCache::create function located in
src/hb-ot-cmap-table.hh:1672-1673. The function fails to check if
hb_malloc returns NULL before using placement new to construct an
object at the returned pointer address.
When hb_malloc fails to allocate memory (which can occur in low-memory
conditions or when using custom allocators that simulate allocation
failures), it returns NULL. The code then attempts to call the
constructor on this null pointer using placement new syntax, resulting
in undefined behavior and a Segmentation Fault.
Impact
------
DoS can be triggered.
3. Scenario
The function prototype is as follows:
// src/hb-ot-cmap-table.hh:1669-1675
static SubtableUnicodesCache* create (hb_blob_ptr_t<cmap> source_table)
{
SubtableUnicodesCache* cache =
(SubtableUnicodesCache*) hb_malloc (sizeof(SubtableUnicodesCache));
new (cache) SubtableUnicodesCache (source_table);
return cache;
}
The vulnerable part is:
SubtableUnicodesCache* cache =
(SubtableUnicodesCache*) hb_malloc (sizeof(SubtableUnicodesCache));
new (cache) SubtableUnicodesCache (source_table);
The types of each operand are:
hb-ot-cmap-table.hh:
static SubtableUnicodesCache* create (hb_blob_ptr_t<cmap> source_table)
hb.hh:
void* hb_malloc (size_t size);
Although all operands are pointer types, there is no null check for the return
value of hb_malloc, causing placement new to be executed on a null pointer.
4. How to Reproduce
[see https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww for PoC code & instructions]
5. Result
Segmentation Fault occurs.
Crash Output
AddressSanitizer:DEADLYSIGNAL
=================================================================
==25681==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x59ca4a8f5616 bp 0x7ffea8bd7890 sp
0x7ffea8bd7870 T0)
==25681==The signal is caused by a WRITE memory access.
==25681==Hint: address points to the zero page.
#0 0x59ca4a8f5616 in OT::SubtableUnicodesCache::SubtableUnicodesCache(hb_blob_ptr_t<OT::cmap>)
/home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-ot-cmap-table.hh:1692:9
#1 0x59ca4a8f5616 in OT::SubtableUnicodesCache::create(hb_blob_ptr_t<OT::cmap>)
/home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-ot-cmap-table.hh:1673:17
#2 0x59ca4a8f3eee in OT::cmap::create_filled_cache(hb_blob_ptr_t<OT::cmap>)
/home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-ot-cmap-table.hh:1765:36
#3 0x59ca4a857f6b in _attach_accelerator_data(hb_subset_plan_t*, hb_face_t*)
/home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-subset.cc:322:23
#4 0x59ca4a857f6b in hb_subset_plan_execute_or_fail
/home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-subset.cc:447:5
#5 0x59ca4a853c87 in hb_subset_or_fail
/home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-subset.cc:359:24
#6 0x59ca4a84e051 in hb_subset_preprocess
/home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-subset-input.cc:776:27
#7 0x59ca4a2cc51c in test_pipeline(unsigned char const*, unsigned long, char const*)
/home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../test/fuzzing/repro.cc:126:25
#8 0x59ca4a2cc51c in main
/home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../test/fuzzing/repro.cc:379:16
#9 0x73592862a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#10 0x73592862a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#11 0x59ca4a1eff44 in _start
(/home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/test/fuzzing/repro+0x7f6f44) (BuildId:
c0ff5896dd1a71d20ba3d34e75d13dd1ee110590)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-ot-cmap-table.hh:1692:9
in OT::SubtableUnicodesCache::SubtableUnicodesCache(hb_blob_ptr_t<OT::cmap>)
==25681==ABORTING
Analysis
Error Type: SEGV (Segmentation Violation)
Access Address: 0x000000000000 (null pointer)
Access Type: WRITE (write access)
Occurrence Location: hb-ot-cmap-table.hh:1692 (inside constructor)
Root Cause Location: hb-ot-cmap-table.hh:1673 (missing null check)
[see https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww for screenshots]
Credit ------ HSPACE Knights Frontier Reporter : JungWoo Park(with contributions from WooJin Won, HyunYeong Yoo) JungWooJJING(@JungWooJJING) JungWoo Park of SSA Lab Github : JungWooJJING e-mail : [cuby5577 () gmail com] wonwoojin Github : @woozhin e-mail : [woonwoojin5 () gmail com] yhy Github : @ttuurrnn e-mail : [dbgusdud5493 () gmail com] Severity: Moderate 5.3 / 10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE ID: CVE-2026-22693
The fix is listed as: https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae which was merged yesterday, weeks after the 12.3.0 release, despite the CVE record claiming "This issue has been patched in version 12.3.0."
Current thread:
- Null Pointer Dereference in HarfBuzz Alan Coopersmith (Jan 10)