From a76d20e3102e2bd6417e49227d5f3c141e9e97ac Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Mon, 12 Jan 2026 06:12:46 +0000
Subject: [PATCH] Patch harfbuzz for CVE-2026-22693

---
 SPECS/harfbuzz/CVE-2026-22693.patch | 31 +++++++++++++++++++++++++++++
 SPECS/harfbuzz/harfbuzz.spec        |  6 +++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/harfbuzz/CVE-2026-22693.patch

diff --git a/SPECS/harfbuzz/CVE-2026-22693.patch b/SPECS/harfbuzz/CVE-2026-22693.patch
new file mode 100644
index 00000000000..bd3dbed6221
--- /dev/null
+++ b/SPECS/harfbuzz/CVE-2026-22693.patch
@@ -0,0 +1,31 @@
+From 3f8074cf6c2f869fad463981ce3891811585d2d7 Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Fri, 9 Jan 2026 04:54:42 -0700
+Subject: [PATCH] malloc fail test (#5710)
+
+Fixes https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae.patch
+---
+ src/hb-ot-cmap-table.hh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/hb-ot-cmap-table.hh b/src/hb-ot-cmap-table.hh
+index e2e2581..2f7d727 100644
+--- a/src/hb-ot-cmap-table.hh
++++ b/src/hb-ot-cmap-table.hh
+@@ -1534,6 +1534,10 @@ struct SubtableUnicodesCache {
+   {
+     SubtableUnicodesCache* cache =
+         (SubtableUnicodesCache*) hb_malloc (sizeof(SubtableUnicodesCache));
++
++    if (unlikely (!cache))
++      return nullptr;
++
+     new (cache) SubtableUnicodesCache (source_table);
+     return cache;
+   }
+-- 
+2.45.4
+
diff --git a/SPECS/harfbuzz/harfbuzz.spec b/SPECS/harfbuzz/harfbuzz.spec
index 93362b045ec..01b68255a0c 100644
--- a/SPECS/harfbuzz/harfbuzz.spec
+++ b/SPECS/harfbuzz/harfbuzz.spec
@@ -1,7 +1,7 @@
 Summary:        opentype text shaping engine
 Name:           harfbuzz
 Version:        8.3.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -9,6 +9,7 @@ Group:          System Environment/Libraries
 URL:            https://harfbuzz.github.io/
 Source0:        https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz
 Patch0:         CVE-2024-56732.patch
+Patch1:         CVE-2026-22693.patch
 BuildRequires:  pkgconfig(cairo)
 BuildRequires:  pkgconfig(freetype2)
 BuildRequires:  pkgconfig(glib-2.0)
@@ -91,6 +92,9 @@ find . -type f -name "*.py" -exec sed -i'' -e '1 s|^#!\s*/usr/bin/env\s\+python3
 %{_libdir}/libharfbuzz-icu.so.*
 
 %changelog
+* Mon Jan 12 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 8.3.0-4
+- Patch for CVE-2026-22693
+
 * Wed Jan 08 2025 Sudipta Pandit <sudpandit@microsoft.com> - 8.3.0-3
 - Patch for CVE-2024-56732