Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <f6825a3e-06ba-4672-afc1-171c7ae48d9d@oracle.com>
Date: Sat, 10 Jan 2026 17:54:38 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Null Pointer Dereference in HarfBuzz

https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww
advises:

> HarfBuzz Null Pointer Dereference Vulnerability Report
> ======================================================
> 
> Summary
> -------
> Affected Version:       HarfBuzz 12.3.0 (earlier versions may also be affected)
> CWE:                    CWE-476 (NULL Pointer Dereference)
> Impact:                 DoS (Denial of Service)
> Vulnerable Function:    OT::SubtableUnicodesCache::create()
> Vulnerable File:        src/hb-ot-cmap-table.hh:1672-1673
> 
> 1. Background
> 
> This vulnerability occurs in the SubtableUnicodesCache::create function
> executed by hb_subset_preprocess. This function generates accelerator data
> for the cmap table to improve font subsetting performance.
> 
> HarfBuzz uses failing-alloc.c to simulate memory allocation failures in
> fuzzing environments. This file overrides the hb_malloc_impl function to
> return NULL with a probability of 1/16:
> 
> void* hb_malloc_impl (size_t size)
> {
>   return (fastrand () % 16) ? malloc (size) : NULL;
> }
> 
> 2. Vulnerability Description and Impact
> 
> Description
> -----------
> 
> A null pointer dereference vulnerability exists in the
> SubtableUnicodesCache::create function located in
> src/hb-ot-cmap-table.hh:1672-1673. The function fails to check if
> hb_malloc returns NULL before using placement new to construct an
> object at the returned pointer address.
> 
> When hb_malloc fails to allocate memory (which can occur in low-memory
> conditions or when using custom allocators that simulate allocation
> failures), it returns NULL. The code then attempts to call the
> constructor on this null pointer using placement new syntax, resulting
> in undefined behavior and a Segmentation Fault.
> 
> Impact
> ------
> DoS can be triggered.
> 
> 3. Scenario
> 
> The function prototype is as follows:
> 
> // src/hb-ot-cmap-table.hh:1669-1675
> static SubtableUnicodesCache* create (hb_blob_ptr_t<cmap> source_table)
> {
>   SubtableUnicodesCache* cache =
>       (SubtableUnicodesCache*) hb_malloc (sizeof(SubtableUnicodesCache));
>   new (cache) SubtableUnicodesCache (source_table);
>   return cache;
> }
> 
> The vulnerable part is:
> 
> SubtableUnicodesCache* cache =
>     (SubtableUnicodesCache*) hb_malloc (sizeof(SubtableUnicodesCache));
> new (cache) SubtableUnicodesCache (source_table);
> 
> The types of each operand are:
> 
> hb-ot-cmap-table.hh:
> 
> static SubtableUnicodesCache* create (hb_blob_ptr_t<cmap> source_table)
> 
> hb.hh:
> 
> void* hb_malloc (size_t size);
> 
> Although all operands are pointer types, there is no null check for the return
> value of hb_malloc, causing placement new to be executed on a null pointer.
> 
> 4. How to Reproduce

[see https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww
  for PoC code & instructions]

> 5. Result
> 
> Segmentation Fault occurs.
> Crash Output
> 
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==25681==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x59ca4a8f5616 bp 0x7ffea8bd7890 sp 0x7ffea8bd7870 T0)
> ==25681==The signal is caused by a WRITE memory access.
> ==25681==Hint: address points to the zero page.
>     #0 0x59ca4a8f5616 in OT::SubtableUnicodesCache::SubtableUnicodesCache(hb_blob_ptr_t<OT::cmap>) /home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-ot-cmap-table.hh:1692:9
>     #1 0x59ca4a8f5616 in OT::SubtableUnicodesCache::create(hb_blob_ptr_t<OT::cmap>) /home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-ot-cmap-table.hh:1673:17
>     #2 0x59ca4a8f3eee in OT::cmap::create_filled_cache(hb_blob_ptr_t<OT::cmap>) /home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-ot-cmap-table.hh:1765:36
>     #3 0x59ca4a857f6b in _attach_accelerator_data(hb_subset_plan_t*, hb_face_t*) /home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-subset.cc:322:23
>     #4 0x59ca4a857f6b in hb_subset_plan_execute_or_fail /home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-subset.cc:447:5
>     #5 0x59ca4a853c87 in hb_subset_or_fail /home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-subset.cc:359:24
>     #6 0x59ca4a84e051 in hb_subset_preprocess /home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-subset-input.cc:776:27
>     #7 0x59ca4a2cc51c in test_pipeline(unsigned char const*, unsigned long, char const*) /home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../test/fuzzing/repro.cc:126:25
>     #8 0x59ca4a2cc51c in main /home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../test/fuzzing/repro.cc:379:16
>     #9 0x73592862a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
>     #10 0x73592862a28a in __libc_start_main csu/../csu/libc-start.c:360:3
>     #11 0x59ca4a1eff44 in _start (/home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/test/fuzzing/repro+0x7f6f44) (BuildId: c0ff5896dd1a71d20ba3d34e75d13dd1ee110590)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /home/wjddn0623/Knights_Frontier/fuzzing/harfbuzz/fuzzbuild/../src/hb-ot-cmap-table.hh:1692:9 in OT::SubtableUnicodesCache::SubtableUnicodesCache(hb_blob_ptr_t<OT::cmap>)
> ==25681==ABORTING
> 
> Analysis
> 
>     Error Type: SEGV (Segmentation Violation)
>     Access Address: 0x000000000000 (null pointer)
>     Access Type: WRITE (write access)
>     Occurrence Location: hb-ot-cmap-table.hh:1692 (inside constructor)
>     Root Cause Location: hb-ot-cmap-table.hh:1673 (missing null check)


[see https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww
  for screenshots]

> Credit
> ------
> HSPACE Knights Frontier
> 
> Reporter : JungWoo Park(with contributions from WooJin Won, HyunYeong Yoo)
> 
> JungWooJJING(@JungWooJJING) JungWoo Park of SSA Lab
> Github : JungWooJJING
> e-mail : [cuby5577@...il.com]
> 
> wonwoojin
> Github : @woozhin
> e-mail : [woonwoojin5@...il.com]
> 
> yhy
> Github : @ttuurrnn
> e-mail : [dbgusdud5493@...il.com]
> 
> 
> Severity: Moderate 5.3 / 10
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
> CVE ID: CVE-2026-22693


The fix is listed as:
https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae
which was merged yesterday, weeks after the 12.3.0 release, despite the CVE record
claiming "This issue has been patched in version 12.3.0."

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.