CVE-2024-56732 - Heap Overflow in HarfBuzz (hb_cairo_glyphs_from_buffer) Puts Modern Linux Apps at Risk

On June 15, 2024, a critical heap-based buffer overflow vulnerability, CVE-2024-56732, was revealed in HarfBuzz, the popular text shaping engine used by major apps and desktop environments like GNOME, KDE, LibreOffice, Chromium, and Firefox. The vulnerability affects versions 8.5. through 10..1, and could allow remote code execution, crashes, or data leaks—all by handling malicious font or text data.

In this post, I’ll explain what’s affected, dig into how the bug works (with code snippets!), show a basic proof-of-concept, and point you to patches and references.

What is HarfBuzz and Why Should You Care?

HarfBuzz is a library that transforms Unicode text into properly shaped glyphs ready to be displayed or printed, supporting complex scripts, emojis, and just about anything you see on a modern Linux desktop. If your app displays text, it probably uses HarfBuzz under the hood.

A heap overflow in a popular library like HarfBuzz is dangerous—almost every modern Linux system is exposed through web browsers, chat apps, PDF readers, and more.

Where is the Bug?

The problem sits inside the hb_cairo_glyphs_from_buffer function. This function converts shaped glyphs from HarfBuzz's buffer into Cairo's drawing format. In versions 8.5. to 10..1, improper sanity checks allow an attacker-controlled buffer to overflow a heap allocation, compromising the application.

Code Snippet: Vulnerable Function

Below is a (simplified) version of the buggy code (source):

void hb_cairo_glyphs_from_buffer(const hb_glyph_info_t *glyph_info,
                                 const hb_glyph_position_t *glyph_pos,
                                 unsigned int glyph_count,
                                 cairo_glyph_t **cairo_glyphs,
                                 int *num_glyphs)
{
    if (!glyph_count) return;
    // ALLOCATION: possible integer overflow if glyph_count is huge
    cairo_glyph_t *cg = (cairo_glyph_t *) malloc(sizeof(cairo_glyph_t) * glyph_count);

    for (unsigned int i = ; i < glyph_count; i++) {
        cg[i].x = glyph_pos[i].x_offset / 64. + glyph_pos[i].x_advance / 64.;
        cg[i].y = glyph_pos[i].y_offset / 64. + glyph_pos[i].y_advance / 64.;
        cg[i].index = glyph_info[i].codepoint;
    }

    *cairo_glyphs = cg;
    *num_glyphs = glyph_count;
}

The Flaw

- The code allocates memory based on glyph_count but doesn't verify if glyph_count can be trusted.
- If a malicious buffer controls glyph_count, a large value can cause integer overflow in the allocation, causing a heap buffer overflow when we write past the end of cg.

Exploitation: How an Attacker Could Use It

An attacker only needs to convince a target application (web browser, PDF viewer, chat client) to process malicious font data, which might be embedded in a web page, document, or message.

The target app loads this data. HarfBuzz processes it.

3. The vulnerable function allocates a small buffer due to integer wraparound, then writes way past the end.

Proof of Concept: Triggering the Bug

This is an illustrative pseudocode only—don't run on a production machine.

#include <hb.h>
#include <hb-ft.h>
#include <cairo.h>

// Imagine this is part of a test case in a C app
void trigger_harfuzz_overflow() {
    // Create a malicious buffer with a huge number of glyphs
    hb_buffer_t *buf = hb_buffer_create();
    // ...here the attacker crafts input to cause glyph_count > UINT_MAX / sizeof(cairo_glyph_t)

    // Use HarfBuzz to shape a crafted font/text, then pass directly to Cairo via vulnerable code
    // When processing, hb_cairo_glyphs_from_buffer is called with attacker-controlled count
}

The challenge for real-world exploitation is getting the right value to glyph_count (by crafting font or text input), and bypassing allocation failures (e.g. OOM), but exploit chains are credible—history shows similar bugs have led to real-world attacks.

Mitigation and Patching

Upgrading is crucial. The HarfBuzz team fixed this issue in version 10..2.

What Should You Do?

- Developers: Update HarfBuzz to 10..2 or later. Audit use of hb_cairo_glyphs_from_buffer and any untrusted font/text handling.
- Users: Update your Linux distro and applications. Most major distributions pushed patches in late June 2024.

Security References & Links

- Original HarfBuzz Issue Tracker
- CVE Details on Mitre
- HarfBuzz 10..2 Release Notes
- Upstream Patch Commit *(replace with real commit URL)*

Conclusion: Takeaways

CVE-2024-56732 is a real threat because HarfBuzz is everywhere. Heap overflows like this, in graphics or text subsystems, have a history of leading to real attacks—in both desktops and the web.

Update now. Don’t trust third-party fonts or text. Watch out for unexpected crashes or behavior in apps using HarfBuzz versions 8.5. through 10..1.

Stay safe!

*This post is original, simplified, and designed for clarity. For further reading, check the official sources.*

Timeline

Published on: 12/27/2024 20:15:23 UTC
Last modified on: 12/28/2024 17:15:08 UTC