/ 
HarfBuzz-Shaper-0.018
⭐ Starred 0
/ HarfBuzz::Shaper
Security Advisories (2)
CVE-2026-0943 (2026-01-19)

HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability.  Versions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693.

CVE-2026-22693 (2026-01-10)

HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.

NAME

HarfBuzz::Shaper - Use HarfBuzz for text shaping

SYNOPSIS

use HarfBuzz::Shaper;
my $hb = HarfBuzz::Shaper->new;
$hb->set_font('LiberationSans.ttf');
$hb->set_size(36);
$hb->set_text("Hello!");
my $info = $hb->shaper;

The result is an array of hashes, one element for each glyph to be typeset.

DESCRIPTION

HarfBuzz::Shaper is a perl module that provides access to a small subset of the native HarfBuzz library.

The subset is suitable for typesetting programs that need to deal with complex languages like Devanagari.

This module is intended to be used with module Text::Layout. Feel free to (ab)use it for other purposes.

Following the above example, the returned info is an array of hashes, one element for each glyph to be typeset. The hash contains the following items:

ax:   horizontal advance
ay:   vertical advance
dx:   horizontal offset
dy:   vertical offset
g:    glyph index in font (CId)
name: glyph name

Note that the number of glyphs does not necessarily match the number of input characters!

METHODS

$hb = HarfBuzz::Shaper->new( [ options ] )

Creates a new shaper object.

Options:

  • font = > font filename

  • size = > text size

$hb->set_font( font filename [ , size ] )

Explicit way to set the font (and, optionally, the size) used for shaping.

The font must be a TrueType or OpenType font. Font information is cached internally, after the first call subsequent calls with the same font filename are very fast.

$hb->set_size( size )

Explicit way to set the font size used for shaping.

Note that the font size will in general affect details of the appearance, A 5 point fontsize magnified 10 times is not identical to 50 point font size.

$hb->set_text( text [ , ... ] )

Set the text to shape. Multiple arguments are concatenated.

Note that the text must be Perl strings.

$info = $hb->shaper()

Performs the shaping. Upon completion an array of hashes is returned with one element for each glyph to be rendered.

The hash contains the following items:

ax:   horizontal advance
ay:   vertical advance
dx:   horizontal offset
dy:   vertical offset
g:    glyph index in font (CId)
name: glyph name

Note that the number of glyphs does not necessarily match the number of input characters!

SEE ALSO

Text::Layout

HarfBuzz website and documentation: https://harfbuzz.github.io/index.html.

BUGS AND DEFICIENCIES

It probably leaks memory. We'll see.

SUPPORT AND DOCUMENTATION

Development of this module takes place on GitHub: https://github.com/sciurius/perl-HarfBuzz-Shaper.

You can find documentation for this module with the perldoc command.

perldoc HarfBuzz::Shaper

Please report any bugs or feature requests using the issue tracker on GitHub.

HarfBuzz website and documentation: https://harfbuzz.github.io/index.html.

COPYRIGHT AND LICENCE

Copyright (C) 2020 by Johan Vromans

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.