HarfBuzz Null Pointer Dereference Vulnerability in SubtableUnicodesCache Create Function

A null pointer dereference vulnerability has been identified in HarfBuzz versions prior to 12.3.0. The issue arises in the SubtableUnicodesCache::create function within the OT cmap table handling. The vulnerability occurs because the function does not verify whether the memory allocation via hb_malloc was successful before using placement new to construct an object. This oversight can lead to undefined behavior, specifically a segmentation fault, when hb_malloc fails to allocate memory, which can happen in low-memory situations or with custom allocators that mimic allocation failures.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by building HarfBuzz with AddressSanitizer enabled, which will detect the null pointer dereference. After compiling the application, the fuzzer can be run with a crafted input that simulates a memory allocation failure, triggering the vulnerability. The input file must be prepared to include the necessary flags and unicode points that the create function will process, causing the null pointer dereference when the simulated allocation failure is encountered.

Remediation

Users can upgrade to HarfBuzz version 12.3.0 or later, where this vulnerability has been patched.