{"id":"CVE-2021-45931","details":"HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t\u003chb_bit_set_invertible_t\u003e::set and hb_set_copy).","modified":"2026-04-11T23:37:25.974944Z","published":"2022-01-01T01:15:08.477Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DI6247WOAKB46CZZ6SCDSJVWWCW3GMZH/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4EAIZKL4O67FN2CWJYHYKZEMNYWNWO3D/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5A7TCR2MY46YK3NHQZB3SLESUH354IEA/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202209-11"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425"},{"type":"FIX","url":"https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81"},{"type":"EVIDENCE","url":"https://github.com/google/oss-fuzz-vulns/blob/main/vulns/harfbuzz/OSV-2021-1159.yaml"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/behdad/harfbuzz","events":[{"introduced":"0"},{"last_affected":"9aa6f8a93f035dd0a1e3978da495d830049480c8"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.9.0"}]}},{"type":"GIT","repo":"https://github.com/harfbuzz/harfbuzz","events":[{"introduced":"0"},{"fixed":"d3e09bf4654fe5478b6dbf2b26ebab6271317d81"}]}],"versions":["0.6.0","0.9.1","0.9.10","0.9.11","0.9.12","0.9.13","0.9.14","0.9.15","0.9.16","0.9.17","0.9.18","0.9.19","0.9.2","0.9.20","0.9.21","0.9.22","0.9.23","0.9.24","0.9.25","0.9.26","0.9.27","0.9.28","0.9.29","0.9.3","0.9.30","0.9.31","0.9.32","0.9.33","0.9.34","0.9.35","0.9.36","0.9.37","0.9.38","0.9.39","0.9.4","0.9.40","0.9.41","0.9.42","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9","1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.1.0","1.1.1","1.1.2","1.1.3","1.2.0","1.2.1","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.3.0","1.3.1","1.3.2","1.3.3","1.3.4","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.5.0","1.5.1","1.6.0","1.6.1","1.6.2","1.6.3","1.7.0","1.7.1","1.7.2","1.7.3","1.7.4","1.7.5","1.7.6","1.7.7","1.8.0","1.8.1","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.9.0","2.0.0","2.0.1","2.0.2","2.1.0","2.1.1","2.1.2","2.1.3","2.2.0","2.3.0","2.5.0","2.5.1","2.5.2","2.5.3","2.6.0","2.6.1","2.6.2","2.6.3","2.6.4","2.6.5","2.6.6","2.6.7","2.6.8","2.7.0","2.7.1","2.7.2","2.7.3","2.7.4","2.8.0","2.8.1","2.8.2","2.9.0","hb-rename","ng-mergepoint","pango-extractpoint","pango-start"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-45931.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"35"}]}],"vanir_signatures_modified":"2026-04-11T23:37:25Z","vanir_signatures":[{"source":"https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["85018669528420963836978886403659123607","59887564610422362824948972169725766473","186660007974329403468837277830331739917","169917309244844406793369554228534698615"]},"signature_version":"v1","id":"CVE-2021-45931-018c82e2","target":{"file":"src/hb-map.hh"}},{"source":"https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81","signature_type":"Function","deprecated":false,"digest":{"length":136,"function_hash":"35470908472924385528404091208136193110"},"signature_version":"v1","id":"CVE-2021-45931-0f8acd83","target":{"file":"src/hb-set.cc","function":"hb_set_union"}},{"source":"https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["165071198434253930090404386820677255236","185133940534448239847005344943263851625","197124313424674693185384079340915182882","228808033583087136495781190718056784071","269918600322272946872024684847346450901","324495716135076229851205587292349403870","9117409492294527691163843376368039862","278656616974813109506249556719928370557","41540758255048116926983903808066591620","106311463147606754777780275442174055694","200814310395352189707972757754901586786","170331328260596768485968882146228102479","12202816363880319209629764054083168460","107725445839684897835304147106352780846","61578416923450974295914812398953067203","76591390621405219773698082160684266840","107213952879693977652493825761729896887","202752765281050035084742682895210409826","243878563580539075155441139638264762474","257625764314658385515743469996837964231","177325711830258274606849357100576517427","204135073866347396462005657915788956781","116265615201483432805695486232819922445","176324584142773727311794363225256402617","257338784566682172991800921540097588621","72030018918722702172633189846794713104","187592572303803045630511565698830908096"]},"signature_version":"v1","id":"CVE-2021-45931-2e4db741","target":{"file":"src/hb-bit-set-invertible.hh"}},{"source":"https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["9721183790284707610748499451238972798","137266962089000458058289862992356520162","182367515460037135200343924704256379187","335272900280036902793934539210626215430","85799099897464120552808724493855790017"]},"signature_version":"v1","id":"CVE-2021-45931-311d4164","target":{"file":"src/hb-map.cc"}},{"source":"https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81","signature_type":"Function","deprecated":false,"digest":{"length":106,"function_hash":"307447235125656645274258193414585994186"},"signature_version":"v1","id":"CVE-2021-45931-317f32e1","target":{"file":"src/hb-set.cc","function":"hb_set_invert"}},{"source":"https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81","signature_type":"Function","deprecated":false,"digest":{"length":105,"function_hash":"5776196326638460118768258730043337417"},"signature_version":"v1","id":"CVE-2021-45931-6c46a98d","target":{"file":"src/hb-set.cc","function":"hb_set_clear"}},{"source":"https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81","signature_type":"Function","deprecated":false,"digest":{"length":150,"function_hash":"42431797617348060337959437651675279582"},"signature_version":"v1","id":"CVE-2021-45931-a1d35181","target":{"file":"src/hb-set.cc","function":"hb_set_symmetric_difference"}},{"source":"https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81","signature_type":"Function","deprecated":false,"digest":{"length":135,"function_hash":"267121229378950059438692456834877513886"},"signature_version":"v1","id":"CVE-2021-45931-b68f4e7d","target":{"file":"src/hb-set.cc","function":"hb_set_set"}},{"source":"https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["79740781061440917866734266760517006302","191368786913489922796040357527306506308","85680169149874243912470432109545169813","233842029584899393935252924764073969425","302665168988820283295833024018661968694","96554876975221644026274735902705697406","239924438145885551572013382122935261489","129398004565424147393584673145417085632","259618859347839296765645756335631620918","81970653593079512149846726569572480432","303723527580755202220448848312679792247","239924438145885551572013382122935261489","285659232048792183088941953900427349342","259995267213335016308550557074818875645","117343010407821484827140789079400259622","236698036097444436737759458169640220520","239924438145885551572013382122935261489","37982229190295580952032854589863142773","275635260974461676694902185551984759192","201645642895151514977897147663876898430","180786712328326257688883627174226424149","239924438145885551572013382122935261489","16475138049504533266470452948000421792","20722358526301374155112076379974702725","314984757893159688567588314174109352844","175628652301445568525330885725527997232","239924438145885551572013382122935261489","102304239721649518168630101389645393404","51721275849711363690566893254723287348","141588262384531462299948741712517302167","192037245755324841265334333238092327308","156506492366418313157667481147767763569","215111724466935267223978401103226233360","206589497635194594953098052774122776526","303579380929195496987369893373069463708"]},"signature_version":"v1","id":"CVE-2021-45931-c0899d7e","target":{"file":"src/hb-set.cc"}},{"source":"https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81","signature_type":"Function","deprecated":false,"digest":{"length":112,"function_hash":"157751333171397146957898032984267381944"},"signature_version":"v1","id":"CVE-2021-45931-cec91487","target":{"file":"src/hb-map.cc","function":"hb_map_clear"}},{"source":"https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81","signature_type":"Function","deprecated":false,"digest":{"length":139,"function_hash":"285659907934876876889559731130612135066"},"signature_version":"v1","id":"CVE-2021-45931-dda6c0c7","target":{"file":"src/hb-set.cc","function":"hb_set_intersect"}},{"source":"https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81","signature_type":"Function","deprecated":false,"digest":{"length":138,"function_hash":"53100005427855769146829322665671709908"},"signature_version":"v1","id":"CVE-2021-45931-ead50e36","target":{"file":"src/hb-set.cc","function":"hb_set_subtract"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}