CVE-2021-45931
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-45931
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-45931.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-45931
- Published
- 2022-01-01T01:15:08.477Z
- Modified
- 2025-11-22T11:06:55.826557Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
HarfBuzz 2.9.0 has an out-of-bounds write in hbbitsetinvertiblet::set (called from hbsparsesett<hb_bit_set_invertible_t>::set and hbsetcopy).
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4EAIZKL4O67FN2CWJYHYKZEMNYWNWO3D/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5A7TCR2MY46YK3NHQZB3SLESUH354IEA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DI6247WOAKB46CZZ6SCDSJVWWCW3GMZH/
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/harfbuzz/OSV-2021-1159.yaml
- https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81
- https://security.gentoo.org/glsa/202209-11
Affected packages
Git / github.com/behdad/harfbuzz
Git / github.com/harfbuzz/harfbuzz
Affected ranges
- Type
- GIT
- Repo
- https://github.com/harfbuzz/harfbuzz
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.6.0
0.9.1
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15
0.9.16
0.9.17
0.9.18
0.9.19
0.9.2
0.9.20
0.9.21
0.9.22
0.9.23
0.9.24
0.9.25
0.9.26
0.9.27
0.9.28
0.9.29
0.9.3
0.9.30
0.9.31
0.9.32
0.9.33
0.9.34
0.9.35
0.9.36
0.9.37
0.9.38
0.9.39
0.9.4
0.9.40
0.9.41
0.9.42
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.5.0
1.5.1
1.6.0
1.6.1
1.6.2
1.6.3
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.8.8
1.9.0
2.*
2.0.0
2.0.1
2.0.2
2.1.0
2.1.1
2.1.2
2.1.3
2.2.0
2.3.0
2.3.1
2.4.0
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.8.0
2.8.1
2.8.2
2.9.0
Other
hb-rename
ng-mergepoint
ng-start
pango-extractpoint
pango-start
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "src/hb-map.hh"
},
"digest": {
"line_hashes": [
"85018669528420963836978886403659123607",
"59887564610422362824948972169725766473",
"186660007974329403468837277830331739917",
"169917309244844406793369554228534698615"
],
"threshold": 0.9
},
"source": "https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81",
"signature_version": "v1",
"id": "CVE-2021-45931-018c82e2"
},
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "src/hb-set.cc",
"function": "hb_set_union"
},
"digest": {
"length": 136.0,
"function_hash": "35470908472924385528404091208136193110"
},
"source": "https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81",
"signature_version": "v1",
"id": "CVE-2021-45931-0f8acd83"
},
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "src/hb-bit-set-invertible.hh"
},
"digest": {
"line_hashes": [
"165071198434253930090404386820677255236",
"185133940534448239847005344943263851625",
"197124313424674693185384079340915182882",
"228808033583087136495781190718056784071",
"269918600322272946872024684847346450901",
"324495716135076229851205587292349403870",
"9117409492294527691163843376368039862",
"278656616974813109506249556719928370557",
"41540758255048116926983903808066591620",
"106311463147606754777780275442174055694",
"200814310395352189707972757754901586786",
"170331328260596768485968882146228102479",
"12202816363880319209629764054083168460",
"107725445839684897835304147106352780846",
"61578416923450974295914812398953067203",
"76591390621405219773698082160684266840",
"107213952879693977652493825761729896887",
"202752765281050035084742682895210409826",
"243878563580539075155441139638264762474",
"257625764314658385515743469996837964231",
"177325711830258274606849357100576517427",
"204135073866347396462005657915788956781",
"116265615201483432805695486232819922445",
"176324584142773727311794363225256402617",
"257338784566682172991800921540097588621",
"72030018918722702172633189846794713104",
"187592572303803045630511565698830908096"
],
"threshold": 0.9
},
"source": "https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81",
"signature_version": "v1",
"id": "CVE-2021-45931-2e4db741"
},
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "src/hb-map.cc"
},
"digest": {
"line_hashes": [
"9721183790284707610748499451238972798",
"137266962089000458058289862992356520162",
"182367515460037135200343924704256379187",
"335272900280036902793934539210626215430",
"85799099897464120552808724493855790017"
],
"threshold": 0.9
},
"source": "https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81",
"signature_version": "v1",
"id": "CVE-2021-45931-311d4164"
},
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "src/hb-set.cc",
"function": "hb_set_invert"
},
"digest": {
"length": 106.0,
"function_hash": "307447235125656645274258193414585994186"
},
"source": "https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81",
"signature_version": "v1",
"id": "CVE-2021-45931-317f32e1"
},
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "src/hb-set.cc",
"function": "hb_set_clear"
},
"digest": {
"length": 105.0,
"function_hash": "5776196326638460118768258730043337417"
},
"source": "https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81",
"signature_version": "v1",
"id": "CVE-2021-45931-6c46a98d"
},
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "src/hb-set.cc",
"function": "hb_set_symmetric_difference"
},
"digest": {
"length": 150.0,
"function_hash": "42431797617348060337959437651675279582"
},
"source": "https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81",
"signature_version": "v1",
"id": "CVE-2021-45931-a1d35181"
},
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "src/hb-set.cc",
"function": "hb_set_set"
},
"digest": {
"length": 135.0,
"function_hash": "267121229378950059438692456834877513886"
},
"source": "https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81",
"signature_version": "v1",
"id": "CVE-2021-45931-b68f4e7d"
},
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "src/hb-set.cc"
},
"digest": {
"line_hashes": [
"79740781061440917866734266760517006302",
"191368786913489922796040357527306506308",
"85680169149874243912470432109545169813",
"233842029584899393935252924764073969425",
"302665168988820283295833024018661968694",
"96554876975221644026274735902705697406",
"239924438145885551572013382122935261489",
"129398004565424147393584673145417085632",
"259618859347839296765645756335631620918",
"81970653593079512149846726569572480432",
"303723527580755202220448848312679792247",
"239924438145885551572013382122935261489",
"285659232048792183088941953900427349342",
"259995267213335016308550557074818875645",
"117343010407821484827140789079400259622",
"236698036097444436737759458169640220520",
"239924438145885551572013382122935261489",
"37982229190295580952032854589863142773",
"275635260974461676694902185551984759192",
"201645642895151514977897147663876898430",
"180786712328326257688883627174226424149",
"239924438145885551572013382122935261489",
"16475138049504533266470452948000421792",
"20722358526301374155112076379974702725",
"314984757893159688567588314174109352844",
"175628652301445568525330885725527997232",
"239924438145885551572013382122935261489",
"102304239721649518168630101389645393404",
"51721275849711363690566893254723287348",
"141588262384531462299948741712517302167",
"192037245755324841265334333238092327308",
"156506492366418313157667481147767763569",
"215111724466935267223978401103226233360",
"206589497635194594953098052774122776526",
"303579380929195496987369893373069463708"
],
"threshold": 0.9
},
"source": "https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81",
"signature_version": "v1",
"id": "CVE-2021-45931-c0899d7e"
},
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "src/hb-map.cc",
"function": "hb_map_clear"
},
"digest": {
"length": 112.0,
"function_hash": "157751333171397146957898032984267381944"
},
"source": "https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81",
"signature_version": "v1",
"id": "CVE-2021-45931-cec91487"
},
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "src/hb-set.cc",
"function": "hb_set_intersect"
},
"digest": {
"length": 139.0,
"function_hash": "285659907934876876889559731130612135066"
},
"source": "https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81",
"signature_version": "v1",
"id": "CVE-2021-45931-dda6c0c7"
},
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "src/hb-set.cc",
"function": "hb_set_subtract"
},
"digest": {
"length": 138.0,
"function_hash": "53100005427855769146829322665671709908"
},
"source": "https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81",
"signature_version": "v1",
"id": "CVE-2021-45931-ead50e36"
}
]