Font · C++

How to fuzz HarfBuzz

Cross-platform text shaping engine used in Chrome, Firefox, Android, and macOS

HarfBuzz turns Unicode codepoints into positioned glyphs, executing complex shaping rules from the font file. Both the OpenType layout tables and the cluster math are dense with edge cases — coverage-guided fuzzing routinely surfaces bugs at the boundary of unusual scripts.

Common bug classes

•Heap overflows in OpenType GSUB / GPOS table walks
•Out-of-bounds reads on malformed CFF subroutine indices
•Integer overflow in cluster mapping arithmetic
•Use-after-free in face / font destruction paths

Recommended setup

Fuzzers

→ libFuzzer
→ AFL++

Sanitizers

→ ASan
→ UBSan

Harness scaffold

#include <hb.h>
#include <stddef.h>
#include <stdint.h>

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  hb_blob_t *blob = hb_blob_create((const char *)data, size,
                                   HB_MEMORY_MODE_READONLY, nullptr, nullptr);
  hb_face_t *face = hb_face_create(blob, 0);
  hb_font_t *font = hb_font_create(face);
  hb_buffer_t *buf = hb_buffer_create();
  hb_buffer_add_utf8(buf, "Hello World 0123 \u0627\u0644\u0639", -1, 0, -1);
  hb_buffer_guess_segment_properties(buf);
  hb_shape(font, buf, nullptr, 0);
  hb_buffer_destroy(buf);
  hb_font_destroy(font);
  hb_face_destroy(face);
  hb_blob_destroy(blob);
  return 0;
}

Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.

Notable CVEs found by fuzzing

→ CVE-2022-33068
→ CVE-2023-25193

Start fuzzing HarfBuzz on Fuzze.rs →

Push the harness above + a Dockerfile. First month 50% off.