Created attachment 606319 [details] testcase ###!!! ASSERTION: Don't know how to merge this stuff: 'mergeRunStart == k || (g.IsClusterStart() && g.IsLigatureGroupStart())', file layout/generic/nsTextRunTransformations.cpp, line 212 ###!!! ASSERTION: Bad offset calculations: 'offset == aDest->GetLength()', file layout/generic/nsTextRunTransformations.cpp, line 236 I'm guessing this is a regression from bug 605021. The first assertion is not the same as the one in bug 536242, fwiw.
Created attachment 606657 [details] [diff] [review] patch, don't set 'true' in charsToMerge array for surrogates
I can't tell from the patch whether this is actually a security bug or not -- what does that change do?
AFAICT, this doesn't actually constitute a security problem. The error means that the association between underlying text characters and displayed glyphs is incorrect, because of an indexing error when reconstructing the transformed textrun, but it doesn't cause us to overrun a buffer or anything dangerous like that; the "offset" that's used as an index into the new run ends up short of the end of the run, not beyond it. (To see an effect of the bug, try data:text/html;charset=utf-8,<div style="text-transform:uppercase">foo
(In reply to Jonathan Kew (:jfkthame) from comment #4) > (To see an effect of the bug, try > data:text/html;charset=utf-8,<div style="text-transform:uppercase">foo Excuse the truncated comment; apparently something (my browser? bugzilla?) didn't like the supplementary-plane character!
FTR, filed bug 738609 regarding the inability to include supplementary-plane text in a bugzilla comment.