[HarfBuzz] language-code issues

[Jonathan Kew]

I've run across a couple of things that seem wrong in the language code support (harfbuzz-ng).

(1) hb_language_from_string() fails to increment num_langs when it allocates a new language code, so it never actually remembers what it has allocated!

diff --git a/gfx/harfbuzz/src/hb-language.c b/gfx/harfbuzz/src/hb-language.c
--- a/gfx/harfbuzz/src/hb-language.c
+++ b/gfx/harfbuzz/src/hb-language.c
@@ -96,16 +96,17 @@ hb_language_from_string (const char *str
       return NULL;
     num_alloced = new_alloced;
     langs = new_langs;
   }
 
   langs[i] = strdup (str);
   for (p = (unsigned char *) langs[i]; *p; p++)
     *p = canon_map[*p];
+  ++num_langs;
 
   return (hb_language_t) langs[i];
 }
 
 const char *
 hb_language_to_string (hb_language_t language)
 {
   return (const char *) language;


(2) In hb_ot_tag_to_language(), I'm wondering whether the temporary string that is created is guaranteed to be correctly null-terminated? I'm a bit hazy on the precise array initialization rules, so I added an explicit zero to be safe:

diff --git a/gfx/harfbuzz/src/hb-ot-tag.c b/gfx/harfbuzz/src/hb-ot-tag.c
--- a/gfx/harfbuzz/src/hb-ot-tag.c
+++ b/gfx/harfbuzz/src/hb-ot-tag.c
@@ -653,10 +653,11 @@ hb_ot_tag_to_language (hb_tag_t tag)
   for (i = 0; i < ARRAY_LENGTH (ot_languages); i++)
     if (ot_languages[i].tag == tag)
       return hb_language_from_string (ot_languages[i].language);
 
   buf[3] = tag >> 24;
   buf[4] = (tag >> 16) & 0xFF;
   buf[5] = (tag >> 8) & 0xFF;
   buf[6] = tag & 0xFF;
+  buf[7] = 0;
   return hb_language_from_string ((char *) buf);
 }


More seriously, I'm confused by the "ot:TAG" string that potentially gets constructed here and passed to hb_language_from_string. It looks to me as though the use of canon_map there will in effect map the ":" to a null byte, and so the string will be treated as if it were simply "ot". This seems broken, AFAICS.