aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2016-04-27 22:33:02 -0400
committerMark H Weaver <mhw@netris.org>2016-04-28 10:25:19 -0400
commitdde2a94c095f840578c307ebf23cd7c3ba5ec858 (patch)
tree214642e8d3e7ece66e548072144193d1ed17efe1 /gnu/packages
parent3161f6a4eca3225778a76eb5c21cfc150e6dce0a (diff)
downloadguix-dde2a94c095f840578c307ebf23cd7c3ba5ec858.tar
guix-dde2a94c095f840578c307ebf23cd7c3ba5ec858.tar.gz
gnu: icecat: Add fixes for CVE-2016-{2805,2807,2808,2814} etc.
* gnu/packages/patches/icecat-CVE-2016-2805.patch, gnu/packages/patches/icecat-CVE-2016-2807-pt1.patch, gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch, gnu/packages/patches/icecat-CVE-2016-2807-pt3.patch, gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch, gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch, gnu/packages/patches/icecat-CVE-2016-2808.patch, gnu/packages/patches/icecat-CVE-2016-2814.patch, gnu/packages/patches/icecat-update-bundled-graphite2: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches. icecat fixup
Diffstat (limited to 'gnu/packages')
-rw-r--r--gnu/packages/gnuzilla.scm11
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2805.patch75
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2807-pt1.patch35
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch69
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2807-pt3.patch33
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch37
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch35
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2808.patch389
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2814.patch35
-rw-r--r--gnu/packages/patches/icecat-update-bundled-graphite2.patch2488
10 files changed, 3206 insertions, 1 deletions
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index e774ed1ad2..abefd90304 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -299,7 +299,16 @@ standards.")
"1wdmd6hasra36g86ha1dw8sl7a5mvr7c4jbjx4zyg9629y5gqr8g"))
(patches (search-patches
"icecat-avoid-bundled-includes.patch"
- "icecat-re-enable-DHE-cipher-suites.patch"))
+ "icecat-re-enable-DHE-cipher-suites.patch"
+ "icecat-update-bundled-graphite2.patch"
+ "icecat-CVE-2016-2805.patch"
+ "icecat-CVE-2016-2807-pt1.patch"
+ "icecat-CVE-2016-2807-pt2.patch"
+ "icecat-CVE-2016-2807-pt3.patch"
+ "icecat-CVE-2016-2807-pt4.patch"
+ "icecat-CVE-2016-2807-pt5.patch"
+ "icecat-CVE-2016-2808.patch"
+ "icecat-CVE-2016-2814.patch"))
(modules '((guix build utils)))
(snippet
'(begin
diff --git a/gnu/packages/patches/icecat-CVE-2016-2805.patch b/gnu/packages/patches/icecat-CVE-2016-2805.patch
new file mode 100644
index 0000000000..5e4150f00c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2805.patch
@@ -0,0 +1,75 @@
+Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/bf34b97757b3
+
+# HG changeset patch
+# User Jon Coppeard <jcoppeard@mozilla.com>
+# Date 1453890675 0
+# Node ID bf34b97757b334af1f9f53b9b59e0b6902e7ed6f
+# Parent 228ca3f46cabaf3f388f6c6640690772aa13c1a5
+Bug 1241731 - Handle incomplete buffer in DiscardTransferables r=sfink a=abillings a=sylvestre
+
+diff --git a/js/src/jit-test/tests/gc/bug-1241731.js b/js/src/jit-test/tests/gc/bug-1241731.js
+new file mode 100644
+--- /dev/null
++++ b/js/src/jit-test/tests/gc/bug-1241731.js
+@@ -0,0 +1,4 @@
++if (!('oomTest' in this))
++ quit();
++
++oomTest(() => serialize(0, [{}]));
+diff --git a/js/src/vm/StructuredClone.cpp b/js/src/vm/StructuredClone.cpp
+--- a/js/src/vm/StructuredClone.cpp
++++ b/js/src/vm/StructuredClone.cpp
+@@ -379,39 +379,50 @@ ReadStructuredClone(JSContext* cx, uint6
+
+ // If the given buffer contains Transferables, free them. Note that custom
+ // Transferables will use the JSStructuredCloneCallbacks::freeTransfer() to
+ // delete their transferables.
+ static void
+ Discard(uint64_t* buffer, size_t nbytes, const JSStructuredCloneCallbacks* cb, void* cbClosure)
+ {
+ MOZ_ASSERT(nbytes % sizeof(uint64_t) == 0);
+- if (nbytes < sizeof(uint64_t))
++ uint64_t* end = buffer + nbytes / sizeof(uint64_t);
++ uint64_t* point = buffer;
++ if (point == end)
+ return; // Empty buffer
+
+- uint64_t* point = buffer;
+ uint32_t tag, data;
+ SCInput::getPair(point++, &tag, &data);
+ if (tag != SCTAG_TRANSFER_MAP_HEADER)
+ return;
+
+ if (TransferableMapHeader(data) == SCTAG_TM_TRANSFERRED)
+ return;
+
+ // freeTransfer should not GC
+ JS::AutoSuppressGCAnalysis nogc;
+
++ if (point == end)
++ return;
++
+ uint64_t numTransferables = LittleEndian::readUint64(point++);
+ while (numTransferables--) {
++ if (point == end)
++ return;
++
+ uint32_t ownership;
+ SCInput::getPair(point++, &tag, &ownership);
+ MOZ_ASSERT(tag >= SCTAG_TRANSFER_MAP_PENDING_ENTRY);
++ if (point == end)
++ return;
+
+ void* content;
+ SCInput::getPtr(point++, &content);
++ if (point == end)
++ return;
+
+ uint64_t extraData = LittleEndian::readUint64(point++);
+
+ if (ownership < JS::SCTAG_TMO_FIRST_OWNED)
+ continue;
+
+ if (ownership == JS::SCTAG_TMO_ALLOC_DATA) {
+ js_free(content);
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-2807-pt1.patch b/gnu/packages/patches/icecat-CVE-2016-2807-pt1.patch
new file mode 100644
index 0000000000..0a6bee378b
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2807-pt1.patch
@@ -0,0 +1,35 @@
+Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/e7c23c08bf84
+
+# HG changeset patch
+# User Randell Jesup <rjesup@jesup.org>
+# Date 1458543433 14400
+# Node ID e7c23c08bf84a02d9154f31e0c5d121a45884a69
+# Parent a6de1f453712edabff597879398606708c191098
+Bug 1254876: assert windows recording is shut down r=pkerr a=ritu
+
+MozReview-Commit-ID: JRqxBb5TgrE
+
+diff --git a/media/webrtc/trunk/webrtc/modules/audio_device/win/audio_device_core_win.cc b/media/webrtc/trunk/webrtc/modules/audio_device/win/audio_device_core_win.cc
+--- a/media/webrtc/trunk/webrtc/modules/audio_device/win/audio_device_core_win.cc
++++ b/media/webrtc/trunk/webrtc/modules/audio_device/win/audio_device_core_win.cc
+@@ -567,16 +567,19 @@ AudioDeviceWindowsCore::AudioDeviceWindo
+ // ----------------------------------------------------------------------------
+
+ AudioDeviceWindowsCore::~AudioDeviceWindowsCore()
+ {
+ WEBRTC_TRACE(kTraceMemory, kTraceAudioDevice, _id, "%s destroyed", __FUNCTION__);
+
+ Terminate();
+
++ // Recording thread should be shut down before this!
++ assert(_hRecThread == NULL);
++
+ // The IMMDeviceEnumerator is created during construction. Must release
+ // it here and not in Terminate() since we don't recreate it in Init().
+ SAFE_RELEASE(_ptrEnumerator);
+
+ _ptrAudioBuffer = NULL;
+
+ if (NULL != _hRenderSamplesReadyEvent)
+ {
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch b/gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch
new file mode 100644
index 0000000000..f4b4c0d4eb
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch
@@ -0,0 +1,69 @@
+Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/3d2b62083a6a
+
+# HG changeset patch
+# User Shu-yu Guo <shu@rfrn.org>
+# Date 1459741387 -7200
+# Node ID 3d2b62083a6a4fb43cb330d77142f9dce0959a23
+# Parent 9d4364f6b55c6ee65c13c491292c3abe1ee2c993
+Bug 1254164 - Make aliasedBodyLevelLexicalBegin a uint32. r=Waldo, a=ritu
+
+diff --git a/js/src/jit-test/tests/parser/bug-1254164.js b/js/src/jit-test/tests/parser/bug-1254164.js
+new file mode 100644
+--- /dev/null
++++ b/js/src/jit-test/tests/parser/bug-1254164.js
+@@ -0,0 +1,6 @@
++// |jit-test| slow;
++
++var s = '';
++for (var i = 0; i < 70000; i++)
++ s += 'function x' + i + '() { x' + i + '(); }\n';
++eval("(function() { " + s + " })();");
+diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
+--- a/js/src/jsscript.cpp
++++ b/js/src/jsscript.cpp
+@@ -111,17 +111,20 @@ Bindings::initWithTemporaryStorage(Exclu
+ // JITs when interpreting/compiling aliasedvar ops.)
+
+ // Since unaliased variables are, by definition, only accessed by local
+ // operations and never through the scope chain, only give shapes to
+ // aliased variables. While the debugger may observe any scope object at
+ // any time, such accesses are mediated by DebugScopeProxy (see
+ // DebugScopeProxy::handleUnaliasedAccess).
+ uint32_t nslots = CallObject::RESERVED_SLOTS;
+- uint32_t aliasedBodyLevelLexicalBegin = UINT16_MAX;
++
++ // Unless there are aliased body-level lexical bindings at all, set the
++ // begin index to an impossible slot number.
++ uint32_t aliasedBodyLevelLexicalBegin = LOCALNO_LIMIT;
+ for (BindingIter bi(self); bi; bi++) {
+ if (bi->aliased()) {
+ // Per ES6, lexical bindings cannot be accessed until
+ // initialized. Remember the first aliased slot that is a
+ // body-level lexical, so that they may be initialized to sentinel
+ // magic values.
+ if (numBodyLevelLexicals > 0 &&
+ nslots < aliasedBodyLevelLexicalBegin &&
+diff --git a/js/src/jsscript.h b/js/src/jsscript.h
+--- a/js/src/jsscript.h
++++ b/js/src/jsscript.h
+@@ -201,18 +201,18 @@ class Bindings
+ friend class BindingIter;
+ friend class AliasedFormalIter;
+
+ RelocatablePtrShape callObjShape_;
+ uintptr_t bindingArrayAndFlag_;
+ uint16_t numArgs_;
+ uint16_t numBlockScoped_;
+ uint16_t numBodyLevelLexicals_;
+- uint16_t aliasedBodyLevelLexicalBegin_;
+ uint16_t numUnaliasedBodyLevelLexicals_;
++ uint32_t aliasedBodyLevelLexicalBegin_;
+ uint32_t numVars_;
+ uint32_t numUnaliasedVars_;
+
+ #if JS_BITS_PER_WORD == 32
+ // Bindings is allocated inline inside JSScript, which needs to be
+ // gc::Cell aligned.
+ uint32_t padding_;
+ #endif
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-2807-pt3.patch b/gnu/packages/patches/icecat-CVE-2016-2807-pt3.patch
new file mode 100644
index 0000000000..a5a4212c28
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2807-pt3.patch
@@ -0,0 +1,33 @@
+Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/88f1eb2c3f4b
+
+# HG changeset patch
+# User Timothy Nikkel <tnikkel@gmail.com>
+# Date 1457637807 21600
+# Node ID 88f1eb2c3f4b4b57365ed88223cf8adc2bec4610
+# Parent bf34b97757b334af1f9f53b9b59e0b6902e7ed6f
+Bug 1187420. r=drc r=jmuizelaar a=sylvestre
+
+MozReview-Commit-ID: Hh0Khqfj8Bf
+
+diff --git a/media/libjpeg/jstdhuff.c b/media/libjpeg/jstdhuff.c
+--- a/media/libjpeg/jstdhuff.c
++++ b/media/libjpeg/jstdhuff.c
+@@ -36,16 +36,17 @@ add_huff_table (j_common_ptr cinfo,
+ */
+ nsymbols = 0;
+ for (len = 1; len <= 16; len++)
+ nsymbols += bits[len];
+ if (nsymbols < 1 || nsymbols > 256)
+ ERREXIT(cinfo, JERR_BAD_HUFF_TABLE);
+
+ MEMCOPY((*htblptr)->huffval, val, nsymbols * sizeof(UINT8));
++ MEMZERO(&((*htblptr)->huffval[nsymbols]), (256 - nsymbols) * sizeof(UINT8));
+
+ /* Initialize sent_table FALSE so table will be written to JPEG file. */
+ (*htblptr)->sent_table = FALSE;
+ }
+
+
+ LOCAL(void)
+ std_huff_tables (j_common_ptr cinfo)
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch b/gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch
new file mode 100644
index 0000000000..5eff4fe99c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch
@@ -0,0 +1,37 @@
+Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/5c312182da90
+
+# HG changeset patch
+# User Jan de Mooij <jdemooij@mozilla.com>
+# Date 1458828581 -3600
+# Node ID 5c312182da9020504103aa329360abaffa7e232d
+# Parent fa4efccde9b7efde8763a178a6cf422b6d37a0e9
+Bug 1254622 - Relookup group->newScript in CreateThisForFunctionWithGroup. r=bhackett a=sylvestre
+
+MozReview-Commit-ID: KXd7kB70f1Z
+
+diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
+--- a/js/src/jsobj.cpp
++++ b/js/src/jsobj.cpp
+@@ -1574,18 +1574,19 @@ CreateThisForFunctionWithGroup(JSContext
+ // Not enough objects with this group have been created yet, so make a
+ // plain object and register it with the group. Use the maximum number
+ // of fixed slots, as is also required by the TypeNewScript.
+ gc::AllocKind allocKind = GuessObjectGCKind(NativeObject::MAX_FIXED_SLOTS);
+ PlainObject* res = NewObjectWithGroup<PlainObject>(cx, group, parent, allocKind, newKind);
+ if (!res)
+ return nullptr;
+
+- if (newKind != SingletonObject)
+- newScript->registerNewObject(res);
++ // Make sure group->newScript is still there.
++ if (newKind != SingletonObject && group->newScript())
++ group->newScript()->registerNewObject(res);
+
+ return res;
+ }
+
+ gc::AllocKind allocKind = NewObjectGCKind(&PlainObject::class_);
+
+ if (newKind == SingletonObject) {
+ Rooted<TaggedProto> protoRoot(cx, group->proto());
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch b/gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch
new file mode 100644
index 0000000000..00718ebaac
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch
@@ -0,0 +1,35 @@
+Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/3fdd280fa099
+
+# HG changeset patch
+# User Carsten "Tomcat" Book <cbook@mozilla.com>
+# Date 1461123938 -7200
+# Node ID 3fdd280fa099b6453ce9fd9905af883bc2ebce24
+# Parent 52dfdd37150d62f708dc5bf61dd28f3967596788
+Bug 1252707 - a=sylvestre
+
+diff --git a/js/src/vm/Shape.cpp b/js/src/vm/Shape.cpp
+--- a/js/src/vm/Shape.cpp
++++ b/js/src/vm/Shape.cpp
+@@ -382,18 +382,20 @@ NativeObject::getChildPropertyOnDictiona
+
+ if (obj->inDictionaryMode()) {
+ MOZ_ASSERT(parent == obj->lastProperty());
+ RootedGeneric<StackShape*> childRoot(cx, &child);
+ shape = childRoot->isAccessorShape() ? NewGCAccessorShape(cx) : NewGCShape(cx);
+ if (!shape)
+ return nullptr;
+ if (childRoot->hasSlot() && childRoot->slot() >= obj->lastProperty()->base()->slotSpan()) {
+- if (!obj->setSlotSpan(cx, childRoot->slot() + 1))
++ if (!obj->setSlotSpan(cx, childRoot->slot() + 1)) {
++ new (shape) Shape(obj->lastProperty()->base()->unowned(), 0);
+ return nullptr;
++ }
+ }
+ shape->initDictionaryShape(*childRoot, obj->numFixedSlots(), &obj->shape_);
+ }
+
+ return shape;
+ }
+
+ /* static */ Shape*
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-2808.patch b/gnu/packages/patches/icecat-CVE-2016-2808.patch
new file mode 100644
index 0000000000..ae190b8b4c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2808.patch
@@ -0,0 +1,389 @@
+Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/71f611fd27c7
+
+# HG changeset patch
+# User Jeff Walden <jwalden@mit.edu>
+# Date 1458941573 25200
+# Node ID 71f611fd27c7d6cb7d6dab9895c2922948042543
+# Parent 861f6b83ce1deade2a976cabe059776ad51ce370
+Bug 1246061. r=luke, r=froydnj, a=sylvestre
+
+diff --git a/js/public/HashTable.h b/js/public/HashTable.h
+--- a/js/public/HashTable.h
++++ b/js/public/HashTable.h
+@@ -8,16 +8,17 @@
+ #define js_HashTable_h
+
+ #include "mozilla/Alignment.h"
+ #include "mozilla/Assertions.h"
+ #include "mozilla/Attributes.h"
+ #include "mozilla/Casting.h"
+ #include "mozilla/MemoryReporting.h"
+ #include "mozilla/Move.h"
++#include "mozilla/Opaque.h"
+ #include "mozilla/PodOperations.h"
+ #include "mozilla/ReentrancyGuard.h"
+ #include "mozilla/TemplateLib.h"
+ #include "mozilla/TypeTraits.h"
+
+ #include "js/Utility.h"
+
+ namespace js {
+@@ -27,16 +28,18 @@ template <class> struct DefaultHasher;
+ template <class, class> class HashMapEntry;
+ namespace detail {
+ template <class T> class HashTableEntry;
+ template <class T, class HashPolicy, class AllocPolicy> class HashTable;
+ }
+
+ /*****************************************************************************/
+
++using Generation = mozilla::Opaque<uint64_t>;
++
+ // A JS-friendly, STL-like container providing a hash-based map from keys to
+ // values. In particular, HashMap calls constructors and destructors of all
+ // objects added so non-PODs may be used safely.
+ //
+ // Key/Value requirements:
+ // - movable, destructible, assignable
+ // HashPolicy requirements:
+ // - see Hash Policy section below
+@@ -200,17 +203,19 @@ class HashMap
+ return impl.sizeOfExcludingThis(mallocSizeOf);
+ }
+ size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
+ return mallocSizeOf(this) + impl.sizeOfExcludingThis(mallocSizeOf);
+ }
+
+ // If |generation()| is the same before and after a HashMap operation,
+ // pointers into the table remain valid.
+- uint32_t generation() const { return impl.generation(); }
++ Generation generation() const {
++ return impl.generation();
++ }
+
+ /************************************************** Shorthand operations */
+
+ bool has(const Lookup& l) const {
+ return impl.lookup(l).found();
+ }
+
+ // Overwrite existing value with v. Return false on oom.
+@@ -431,17 +436,19 @@ class HashSet
+ return impl.sizeOfExcludingThis(mallocSizeOf);
+ }
+ size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
+ return mallocSizeOf(this) + impl.sizeOfExcludingThis(mallocSizeOf);
+ }
+
+ // If |generation()| is the same before and after a HashSet operation,
+ // pointers into the table remain valid.
+- uint32_t generation() const { return impl.generation(); }
++ Generation generation() const {
++ return impl.generation();
++ }
+
+ /************************************************** Shorthand operations */
+
+ bool has(const Lookup& l) const {
+ return impl.lookup(l).found();
+ }
+
+ // Add |u| if it is not present already. Return false on oom.
+@@ -766,17 +773,17 @@ class HashTable : private AllocPolicy
+ // table operations unless |generation()| is tested.
+ class Ptr
+ {
+ friend class HashTable;
+
+ Entry* entry_;
+ #ifdef JS_DEBUG
+ const HashTable* table_;
+- uint32_t generation;
++ Generation generation;
+ #endif
+
+ protected:
+ Ptr(Entry& entry, const HashTable& tableArg)
+ : entry_(&entry)
+ #ifdef JS_DEBUG
+ , table_(&tableArg)
+ , generation(tableArg.generation())
+@@ -873,17 +880,17 @@ class HashTable : private AllocPolicy
+ while (cur < end && !cur->isLive())
+ ++cur;
+ }
+
+ Entry* cur, *end;
+ #ifdef JS_DEBUG
+ const HashTable* table_;
+ uint64_t mutationCount;
+- uint32_t generation;
++ Generation generation;
+ bool validEntry;
+ #endif
+
+ public:
+ Range()
+ : cur(nullptr)
+ , end(nullptr)
+ #ifdef JS_DEBUG
+@@ -1012,18 +1019,18 @@ class HashTable : private AllocPolicy
+ // HashTable is not copyable or assignable
+ HashTable(const HashTable&) = delete;
+ void operator=(const HashTable&) = delete;
+
+ private:
+ static const size_t CAP_BITS = 24;
+
+ public:
+- Entry* table; // entry storage
+- uint32_t gen; // entry storage generation number
++ uint64_t gen; // entry storage generation number
++ Entry* table; // entry storage
+ uint32_t entryCount; // number of entries in table
+ uint32_t removedCount:CAP_BITS; // removed entry sentinels in table
+ uint32_t hashShift:8; // multiplicative hash shift
+
+ #ifdef JS_DEBUG
+ uint64_t mutationCount;
+ mutable bool mEntered;
+ mutable struct Stats
+@@ -1097,18 +1104,18 @@ class HashTable : private AllocPolicy
+ for (Entry* e = oldTable, *end = e + capacity; e < end; ++e)
+ e->destroyIfLive();
+ alloc.free_(oldTable);
+ }
+
+ public:
+ explicit HashTable(AllocPolicy ap)
+ : AllocPolicy(ap)
++ , gen(0)
+ , table(nullptr)
+- , gen(0)
+ , entryCount(0)
+ , removedCount(0)
+ , hashShift(sHashBits)
+ #ifdef JS_DEBUG
+ , mutationCount(0)
+ , mEntered(false)
+ #endif
+ {}
+@@ -1524,20 +1531,20 @@ class HashTable : private AllocPolicy
+ }
+
+ uint32_t capacity() const
+ {
+ MOZ_ASSERT(table);
+ return JS_BIT(sHashBits - hashShift);
+ }
+
+- uint32_t generation() const
++ Generation generation() const
+ {
+ MOZ_ASSERT(table);
+- return gen;
++ return Generation(gen);
+ }
+
+ size_t sizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) const
+ {
+ return mallocSizeOf(table);
+ }
+
+ size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const
+diff --git a/js/src/jsapi.h b/js/src/jsapi.h
+--- a/js/src/jsapi.h
++++ b/js/src/jsapi.h
+@@ -270,20 +270,16 @@ class AutoHashMapRooter : protected Auto
+
+ size_t sizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
+ return map.sizeOfExcludingThis(mallocSizeOf);
+ }
+ size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
+ return map.sizeOfIncludingThis(mallocSizeOf);
+ }
+
+- uint32_t generation() const {
+- return map.generation();
+- }
+-
+ /************************************************** Shorthand operations */
+
+ bool has(const Lookup& l) const {
+ return map.has(l);
+ }
+
+ template<typename KeyInput, typename ValueInput>
+ bool put(const KeyInput& k, const ValueInput& v) {
+@@ -385,20 +381,16 @@ class AutoHashSetRooter : protected Auto
+
+ size_t sizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
+ return set.sizeOfExcludingThis(mallocSizeOf);
+ }
+ size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
+ return set.sizeOfIncludingThis(mallocSizeOf);
+ }
+
+- uint32_t generation() const {
+- return set.generation();
+- }
+-
+ /************************************************** Shorthand operations */
+
+ bool has(const Lookup& l) const {
+ return set.has(l);
+ }
+
+ bool put(const T& t) {
+ return set.put(t);
+diff --git a/js/src/jscntxt.h b/js/src/jscntxt.h
+--- a/js/src/jscntxt.h
++++ b/js/src/jscntxt.h
+@@ -30,21 +30,21 @@ class DebugModeOSRVolatileJitFrameIterat
+ }
+
+ typedef HashSet<JSObject*> ObjectSet;
+ typedef HashSet<Shape*> ShapeSet;
+
+ /* Detects cycles when traversing an object graph. */
+ class AutoCycleDetector
+ {
++ Generation hashsetGenerationAtInit;
+ JSContext* cx;
+ RootedObject obj;
++ ObjectSet::AddPtr hashsetAddPointer;
+ bool cyclic;
+- uint32_t hashsetGenerationAtInit;
+- ObjectSet::AddPtr hashsetAddPointer;
+ MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
+
+ public:
+ AutoCycleDetector(JSContext* cx, HandleObject objArg
+ MOZ_GUARD_OBJECT_NOTIFIER_PARAM)
+ : cx(cx), obj(cx, objArg), cyclic(true)
+ {
+ MOZ_GUARD_OBJECT_NOTIFIER_INIT;
+diff --git a/js/src/jswatchpoint.cpp b/js/src/jswatchpoint.cpp
+--- a/js/src/jswatchpoint.cpp
++++ b/js/src/jswatchpoint.cpp
+@@ -22,25 +22,25 @@ DefaultHasher<WatchKey>::hash(const Look
+ {
+ return DefaultHasher<JSObject*>::hash(key.object.get()) ^ HashId(key.id.get());
+ }
+
+ namespace {
+
+ class AutoEntryHolder {
+ typedef WatchpointMap::Map Map;
++ Generation gen;
+ Map& map;
+ Map::Ptr p;
+- uint32_t gen;
+ RootedObject obj;
+ RootedId id;
+
+ public:
+ AutoEntryHolder(JSContext* cx, Map& map, Map::Ptr p)
+- : map(map), p(p), gen(map.generation()), obj(cx, p->key().object), id(cx, p->key().id)
++ : gen(map.generation()), map(map), p(p), obj(cx, p->key().object), id(cx, p->key().id)
+ {
+ MOZ_ASSERT(!p->value().held);
+ p->value().held = true;
+ }
+
+ ~AutoEntryHolder() {
+ if (gen != map.generation())
+ p = map.lookup(WatchKey(obj, id));
+diff --git a/js/src/shell/jsheaptools.cpp b/js/src/shell/jsheaptools.cpp
+--- a/js/src/shell/jsheaptools.cpp
++++ b/js/src/shell/jsheaptools.cpp
+@@ -267,17 +267,17 @@ HeapReverser::traverseEdge(void* cell, J
+ Map::AddPtr a = map.lookupForAdd(cell);
+ if (!a) {
+ /*
+ * We've never visited this cell before. Add it to the map (thus
+ * marking it as visited), and put it on the work stack, to be
+ * visited from the main loop.
+ */
+ Node n(kind);
+- uint32_t generation = map.generation();
++ Generation generation = map.generation();
+ if (!map.add(a, cell, Move(n)) ||
+ !work.append(Child(cell, kind)))
+ return false;
+ /* If the map has been resized, re-check the pointer. */
+ if (map.generation() != generation)
+ a = map.lookupForAdd(cell);
+ }
+
+diff --git a/mfbt/Opaque.h b/mfbt/Opaque.h
+new file mode 100644
+--- /dev/null
++++ b/mfbt/Opaque.h
+@@ -0,0 +1,44 @@
++/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
++/* vim: set ts=8 sts=2 et sw=2 tw=80: */
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++/* An opaque integral type supporting only comparison operators. */
++
++#ifndef mozilla_Opaque_h
++#define mozilla_Opaque_h
++
++#include "mozilla/TypeTraits.h"
++
++namespace mozilla {
++
++/**
++ * Opaque<T> is a replacement for integral T in cases where only comparisons
++ * must be supported, and it's desirable to prevent accidental dependency on
++ * exact values.
++ */
++template<typename T>
++class Opaque final
++{
++ static_assert(mozilla::IsIntegral<T>::value,
++ "mozilla::Opaque only supports integral types");
++
++ T mValue;
++
++public:
++ Opaque() {}
++ explicit Opaque(T aValue) : mValue(aValue) {}
++
++ bool operator==(const Opaque& aOther) const {
++ return mValue == aOther.mValue;
++ }
++
++ bool operator!=(const Opaque& aOther) const {
++ return !(*this == aOther);
++ }
++};
++
++} // namespace mozilla
++
++#endif /* mozilla_Opaque_h */
+diff --git a/mfbt/moz.build b/mfbt/moz.build
+--- a/mfbt/moz.build
++++ b/mfbt/moz.build
+@@ -48,16 +48,17 @@ EXPORTS.mozilla = [
+ 'MathAlgorithms.h',
+ 'Maybe.h',
+ 'MaybeOneOf.h',
+ 'MemoryChecking.h',
+ 'MemoryReporting.h',
+ 'Move.h',
+ 'NullPtr.h',
+ 'NumericLimits.h',
++ 'Opaque.h',
+ 'Pair.h',
+ 'PodOperations.h',
+ 'Poison.h',
+ 'Range.h',
+ 'RangedPtr.h',
+ 'RefCountType.h',
+ 'ReentrancyGuard.h',
+ 'RefPtr.h',
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-2814.patch b/gnu/packages/patches/icecat-CVE-2016-2814.patch
new file mode 100644
index 0000000000..5f197f25e6
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2814.patch
@@ -0,0 +1,35 @@
+
+# HG changeset patch
+# User Jean-Yves Avenard <jyavenard@mozilla.com>
+# Date 1460655260 25200
+# Node ID a13c0bc84d6eb132f4199f563fbe228d2d3b3a51
+# Parent 88f1eb2c3f4b4b57365ed88223cf8adc2bec4610
+Bug 1254721: Ensure consistency between Cenc offsets and sizes table. r=gerald a=sylvestre
+
+MozReview-Commit-ID: E1KbKIIBR87
+
+diff --git a/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp b/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
+--- a/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
++++ b/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
+@@ -612,18 +612,18 @@ status_t
+ SampleTable::parseSampleCencInfo() {
+ if ((!mCencDefaultSize && !mCencInfoCount) || mCencOffsets.isEmpty()) {
+ // We don't have all the cenc information we need yet. Quietly fail and
+ // hope we get the data we need later in the track header.
+ ALOGV("Got half of cenc saio/saiz pair. Deferring parse until we get the other half.");
+ return OK;
+ }
+
+- if (!mCencSizes.isEmpty() && mCencOffsets.size() > 1 &&
+- mCencSizes.size() != mCencOffsets.size()) {
++ if ((mCencOffsets.size() > 1 && mCencOffsets.size() < mCencInfoCount) ||
++ (!mCencDefaultSize && mCencSizes.size() < mCencInfoCount)) {
+ return ERROR_MALFORMED;
+ }
+
+ if (mCencInfoCount > kMAX_ALLOCATION / sizeof(SampleCencInfo)) {
+ // Avoid future OOM.
+ return ERROR_MALFORMED;
+ }
+
+
diff --git a/gnu/packages/patches/icecat-update-bundled-graphite2.patch b/gnu/packages/patches/icecat-update-bundled-graphite2.patch
new file mode 100644
index 0000000000..c3ab920335
--- /dev/null
+++ b/gnu/packages/patches/icecat-update-bundled-graphite2.patch
@@ -0,0 +1,2488 @@
+
+# HG changeset patch
+# User Jonathan Kew <jkew@mozilla.com>
+# Date 1460660890 -3600
+# Node ID 7330633d20ffb33941e41ea0666c4099b6e6d317
+# Parent 5c312182da9020504103aa329360abaffa7e232d
+Bug 1262846 (patch for ESR trees) - Update Graphite2 library to 1.3.8. r=jrmuizel a=sledru
+
+diff --git a/gfx/graphite2/README.mozilla b/gfx/graphite2/README.mozilla
+--- a/gfx/graphite2/README.mozilla
++++ b/gfx/graphite2/README.mozilla
+@@ -1,3 +1,3 @@
+-This directory contains the Graphite2 library release 1.3.6 from
+-https://github.com/silnrsi/graphite/releases/download/1.3.6/graphite-minimal-1.3.6.tgz
++This directory contains the Graphite2 library release 1.3.8 from
++https://github.com/silnrsi/graphite/releases/download/1.3.8/graphite2-minimal-1.3.8.tgz
+ See gfx/graphite2/moz-gr-update.sh for update procedure.
+diff --git a/gfx/graphite2/include/graphite2/Font.h b/gfx/graphite2/include/graphite2/Font.h
+--- a/gfx/graphite2/include/graphite2/Font.h
++++ b/gfx/graphite2/include/graphite2/Font.h
+@@ -25,17 +25,17 @@
+ either version 2 of the License or (at your option) any later version.
+ */
+ #pragma once
+
+ #include "graphite2/Types.h"
+
+ #define GR2_VERSION_MAJOR 1
+ #define GR2_VERSION_MINOR 3
+-#define GR2_VERSION_BUGFIX 6
++#define GR2_VERSION_BUGFIX 8
+
+ #ifdef __cplusplus
+ extern "C"
+ {
+ #endif
+
+ typedef struct gr_face gr_face;
+ typedef struct gr_font gr_font;
+diff --git a/gfx/graphite2/moz-gr-update.sh b/gfx/graphite2/moz-gr-update.sh
+--- a/gfx/graphite2/moz-gr-update.sh
++++ b/gfx/graphite2/moz-gr-update.sh
+@@ -14,17 +14,17 @@
+ RELEASE=$1
+
+ if [ "x$RELEASE" == "x" ]
+ then
+ echo "Must provide the version number to be used."
+ exit 1
+ fi
+
+-TARBALL="https://github.com/silnrsi/graphite/releases/download/$RELEASE/graphite-minimal-$RELEASE.tgz"
++TARBALL="https://github.com/silnrsi/graphite/releases/download/$RELEASE/graphite2-minimal-$RELEASE.tgz"
+
+ foo=`basename $0`
+ TMPFILE=`mktemp -t ${foo}` || exit 1
+
+ curl -L "$TARBALL" -o "$TMPFILE"
+ tar -x -z -C gfx/graphite2/ --strip-components 1 -f "$TMPFILE" || exit 1
+ rm "$TMPFILE"
+
+diff --git a/gfx/graphite2/src/CachedFace.cpp b/gfx/graphite2/src/CachedFace.cpp
+--- a/gfx/graphite2/src/CachedFace.cpp
++++ b/gfx/graphite2/src/CachedFace.cpp
+@@ -64,20 +64,20 @@ bool CachedFace::runGraphite(Segment *se
+ return false;
+
+ assert(m_cacheStore);
+ // find where the segment can be broken
+ Slot * subSegStartSlot = seg->first();
+ Slot * subSegEndSlot = subSegStartSlot;
+ uint16 cmapGlyphs[eMaxSpliceSize];
+ int subSegStart = 0;
+- for (unsigned int i = 0; i < seg->charInfoCount(); ++i)
++ for (unsigned int i = 0; i < seg->charInfoCount() && subSegEndSlot; ++i)
+ {
+ const unsigned int length = i - subSegStart + 1;
+- if (length < eMaxSpliceSize)
++ if (length < eMaxSpliceSize && subSegEndSlot->gid() < m_cacheStore->maxCmapGid())
+ cmapGlyphs[length-1] = subSegEndSlot->gid();
+ else return false;
+ const bool spaceOnly = m_cacheStore->isSpaceGlyph(subSegEndSlot->gid());
+ // at this stage the character to slot mapping is still 1 to 1
+ const int breakWeight = seg->charinfo(i)->breakWeight(),
+ nextBreakWeight = (i + 1 < seg->charInfoCount())?
+ seg->charinfo(i+1)->breakWeight() : 0;
+ const uint8 f = seg->charinfo(i)->flags();
+diff --git a/gfx/graphite2/src/Code.cpp b/gfx/graphite2/src/Code.cpp
+--- a/gfx/graphite2/src/Code.cpp
++++ b/gfx/graphite2/src/Code.cpp
+@@ -61,93 +61,88 @@ inline bool is_return(const instr i) {
+ const instr pop_ret = *opmap[POP_RET].impl,
+ ret_zero = *opmap[RET_ZERO].impl,
+ ret_true = *opmap[RET_TRUE].impl;
+ return i == pop_ret || i == ret_zero || i == ret_true;
+ }
+
+ struct context
+ {
+- context(uint8 ref=0) : codeRef(ref) {flags.changed=false; flags.referenced=false; flags.inserted=false;}
++ context(uint8 ref=0) : codeRef(ref) {flags.changed=false; flags.referenced=false;}
+ struct {
+ uint8 changed:1,
+- referenced:1,
+- inserted:1;
++ referenced:1;
+ } flags;
+ uint8 codeRef;
+ };
+
+ } // end namespace
+
+
+ class Machine::Code::decoder
+ {
+ public:
+ struct limits;
+- struct analysis
+- {
+- static const int NUMCONTEXTS = 256;
+- uint8 slotref;
+- context contexts[NUMCONTEXTS];
+- byte max_ref;
+-
+- analysis() : slotref(0), max_ref(0) {};
+- void set_ref(int index, bool incinsert=false) throw();
+- void set_noref(int index) throw();
+- void set_changed(int index) throw();
+-
+- };
++ static const int NUMCONTEXTS = 256;
+
+ decoder(limits & lims, Code &code, enum passtype pt) throw();
+
+ bool load(const byte * bc_begin, const byte * bc_end);
+ void apply_analysis(instr * const code, instr * code_end);
+- byte max_ref() { return _analysis.max_ref; }
+- int pre_context() const { return _pre_context; }
++ byte max_ref() { return _max_ref; }
++ int out_index() const { return _out_index; }
+
+ private:
++ void set_ref(int index) throw();
++ void set_noref(int index) throw();
++ void set_changed(int index) throw();
+ opcode fetch_opcode(const byte * bc);
+ void analyse_opcode(const opcode, const int8 * const dp) throw();
+ bool emit_opcode(opcode opc, const byte * & bc);
+- bool validate_opcode(const opcode opc, const byte * const bc);
++ bool validate_opcode(const byte opc, const byte * const bc);
+ bool valid_upto(const uint16 limit, const uint16 x) const throw();
+ bool test_context() const throw();
++ bool test_ref(int8 index) const throw();
+ void failure(const status_t s) const throw() { _code.failure(s); }
+
+ Code & _code;
+- int _pre_context;
+- uint16 _rule_length;
++ int _out_index;
++ uint16 _out_length;
+ instr * _instr;
+ byte * _data;
+ limits & _max;
+- analysis _analysis;
+ enum passtype _passtype;
+ int _stack_depth;
+ bool _in_ctxt_item;
++ int16 _slotref;
++ context _contexts[NUMCONTEXTS];
++ byte _max_ref;
+ };
+
+
+ struct Machine::Code::decoder::limits
+ {
+ const byte * bytecode;
+ const uint8 pre_context;
+ const uint16 rule_length,
+ classes,
+ glyf_attrs,
+ features;
+ const byte attrid[gr_slatMax];
+ };
+
+ inline Machine::Code::decoder::decoder(limits & lims, Code &code, enum passtype pt) throw()
+ : _code(code),
+- _pre_context(code._constraint ? 0 : lims.pre_context),
+- _rule_length(code._constraint ? 1 : lims.rule_length),
++ _out_index(code._constraint ? 0 : lims.pre_context),
++ _out_length(code._constraint ? 1 : lims.rule_length),
+ _instr(code._code), _data(code._data), _max(lims), _passtype(pt),
+ _stack_depth(0),
+- _in_ctxt_item(false)
++ _in_ctxt_item(false),
++ _slotref(0),
++ _max_ref(0)
+ { }
+
+
+
+ Machine::Code::Code(bool is_constraint, const byte * bytecode_begin, const byte * const bytecode_end,
+ uint8 pre_context, uint16 rule_length, const Silf & silf, const Face & face,
+ enum passtype pt, byte * * const _out)
+ : _code(0), _data(0), _data_size(0), _instr_count(0), _max_ref(0), _status(loaded),
+@@ -163,17 +158,17 @@ Machine::Code::Code(bool is_constraint,
+ return;
+ }
+ assert(bytecode_end > bytecode_begin);
+ const opcode_t * op_to_fn = Machine::getOpcodeTable();
+
+ // Allocate code and data target buffers, these sizes are a worst case
+ // estimate. Once we know their real sizes the we'll shrink them.
+ if (_out) _code = reinterpret_cast<instr *>(*_out);
+- else _code = static_cast<instr *>(malloc(estimateCodeDataOut(bytecode_end-bytecode_begin)));
++ else _code = static_cast<instr *>(malloc(estimateCodeDataOut(bytecode_end-bytecode_begin, 1, is_constraint ? 0 : rule_length)));
+ _data = reinterpret_cast<byte *>(_code + (bytecode_end - bytecode_begin));
+
+ if (!_code || !_data) {
+ failure(alloc_failed);
+ return;
+ }
+
+ decoder::limits lims = {
+@@ -266,23 +261,23 @@ bool Machine::Code::decoder::load(const
+ return bool(_code);
+ }
+
+ // Validation check and fixups.
+ //
+
+ opcode Machine::Code::decoder::fetch_opcode(const byte * bc)
+ {
+- const opcode opc = opcode(*bc++);
++ const byte opc = *bc++;
+
+ // Do some basic sanity checks based on what we know about the opcode
+ if (!validate_opcode(opc, bc)) return MAX_OPCODE;
+
+ // And check it's arguments as far as possible
+- switch (opc)
++ switch (opcode(opc))
+ {
+ case NOP :
+ break;
+ case PUSH_BYTE :
+ case PUSH_BYTEU :
+ case PUSH_SHORT :
+ case PUSH_SHORTU :
+ case PUSH_LONG :
+@@ -319,47 +314,57 @@ opcode Machine::Code::decoder::fetch_opc
+ case COND :
+ _stack_depth -= 2;
+ if (_stack_depth <= 0)
+ failure(underfull_stack);
+ break;
+ case NEXT :
+ case NEXT_N : // runtime checked
+ case COPY_NEXT :
+- test_context();
+- ++_pre_context;
++ ++_out_index;
++ if (_out_index < -1 || _out_index > _out_length || _slotref > _max.rule_length)
++ failure(out_of_range_data);
+ break;
+ case PUT_GLYPH_8BIT_OBS :
+ valid_upto(_max.classes, bc[0]);
+ test_context();
+ break;
+ case PUT_SUBS_8BIT_OBS :
+- valid_upto(_rule_length, _pre_context + int8(bc[0]));
++ test_ref(int8(bc[0]));
+ valid_upto(_max.classes, bc[1]);
+ valid_upto(_max.classes, bc[2]);
+ test_context();
+ break;
+ case PUT_COPY :
+- valid_upto(_rule_length, _pre_context + int8(bc[0]));
++ test_ref(int8(bc[0]));
+ test_context();
+ break;
+ case INSERT :
+ if (_passtype >= PASS_TYPE_POSITIONING)
+ failure(invalid_opcode);
+- else
+- --_pre_context;
++ ++_out_length;
++ if (_out_index < 0) ++_out_index;
++ if (_out_index < -1 || _out_index >= _out_length)
++ failure(out_of_range_data);
+ break;
+ case DELETE :
+ if (_passtype >= PASS_TYPE_POSITIONING)
+ failure(invalid_opcode);
+- test_context();
++ if (_out_index < _max.pre_context)
++ failure(out_of_range_data);
++ --_out_index;
++ --_out_length;
++ if (_out_index < -1 || _out_index > _out_length)
++ failure(out_of_range_data);
+ break;
+ case ASSOC :
++ if (bc[0] == 0)
++ failure(out_of_range_data);
+ for (uint8 num = bc[0]; num; --num)
+- valid_upto(_rule_length, _pre_context + int8(bc[num]));
++ test_ref(int8(bc[num]));
+ test_context();
+ break;
+ case CNTXT_ITEM :
+ valid_upto(_max.rule_length, _max.pre_context + int8(bc[0]));
+ if (bc + 2 + bc[1] >= _max.bytecode) failure(jump_past_end);
+ if (_in_ctxt_item) failure(nested_context_item);
+ break;
+ case ATTR_SET :
+@@ -378,52 +383,43 @@ opcode Machine::Code::decoder::fetch_opc
+ failure(underfull_stack);
+ if (valid_upto(gr_slatMax, bc[0]))
+ valid_upto(_max.attrid[bc[0]], bc[1]);
+ test_context();
+ break;
+ case PUSH_SLOT_ATTR :
+ ++_stack_depth;
+ valid_upto(gr_slatMax, bc[0]);
+- valid_upto(_rule_length, _pre_context + int8(bc[1]));
++ test_ref(int8(bc[1]));
+ if (attrCode(bc[0]) == gr_slatUserDefn) // use IATTR for user attributes
+ failure(out_of_range_data);
+ break;
+ case PUSH_GLYPH_ATTR_OBS :
++ case PUSH_ATT_TO_GATTR_OBS :
+ ++_stack_depth;
+ valid_upto(_max.glyf_attrs, bc[0]);
+- valid_upto(_rule_length, _pre_context + int8(bc[1]));
++ test_ref(int8(bc[1]));
+ break;
++ case PUSH_ATT_TO_GLYPH_METRIC :
+ case PUSH_GLYPH_METRIC :
+ ++_stack_depth;
+ valid_upto(kgmetDescent, bc[0]);
+- valid_upto(_rule_length, _pre_context + int8(bc[1]));
++ test_ref(int8(bc[1]));
+ // level: dp[2] no check necessary
+ break;
+ case PUSH_FEAT :
+ ++_stack_depth;
+ valid_upto(_max.features, bc[0]);
+- valid_upto(_rule_length, _pre_context + int8(bc[1]));
+- break;
+- case PUSH_ATT_TO_GATTR_OBS :
+- ++_stack_depth;
+- valid_upto(_max.glyf_attrs, bc[0]);
+- valid_upto(_rule_length, _pre_context + int8(bc[1]));
+- break;
+- case PUSH_ATT_TO_GLYPH_METRIC :
+- ++_stack_depth;
+- valid_upto(kgmetDescent, bc[0]);
+- valid_upto(_rule_length, _pre_context + int8(bc[1]));
+- // level: dp[2] no check necessary
++ test_ref(int8(bc[1]));
+ break;
+ case PUSH_ISLOT_ATTR :
+ ++_stack_depth;
+ if (valid_upto(gr_slatMax, bc[0]))
+ {
+- valid_upto(_rule_length, _pre_context + int8(bc[1]));
++ test_ref(int8(bc[1]));
+ valid_upto(_max.attrid[bc[0]], bc[2]);
+ }
+ break;
+ case PUSH_IGLYPH_ATTR :// not implemented
+ ++_stack_depth;
+ break;
+ case POP_RET :
+ if (--_stack_depth < 0)
+@@ -442,118 +438,107 @@ opcode Machine::Code::decoder::fetch_opc
+ valid_upto(_max.attrid[bc[0]], bc[1]);
+ test_context();
+ break;
+ case PUSH_PROC_STATE : // dummy: dp[0] no check necessary
+ case PUSH_VERSION :
+ ++_stack_depth;
+ break;
+ case PUT_SUBS :
+- valid_upto(_rule_length, _pre_context + int8(bc[0]));
++ test_ref(int8(bc[0]));
+ valid_upto(_max.classes, uint16(bc[1]<< 8) | bc[2]);
+ valid_upto(_max.classes, uint16(bc[3]<< 8) | bc[4]);
+ test_context();
+ break;
+ case PUT_SUBS2 : // not implemented
+ case PUT_SUBS3 : // not implemented
+ break;
+ case PUT_GLYPH :
+ valid_upto(_max.classes, uint16(bc[0]<< 8) | bc[1]);
+ test_context();
+ break;
+ case PUSH_GLYPH_ATTR :
+ case PUSH_ATT_TO_GLYPH_ATTR :
+ ++_stack_depth;
+ valid_upto(_max.glyf_attrs, uint16(bc[0]<< 8) | bc[1]);
+- valid_upto(_rule_length, _pre_context + int8(bc[2]));
++ test_ref(int8(bc[2]));
++ break;
++ case SET_FEAT :
++ valid_upto(_max.features, bc[0]);
++ test_ref(int8(bc[1]));
+ break;
+ default:
+ failure(invalid_opcode);
+ break;
+ }
+
+- return bool(_code) ? opc : MAX_OPCODE;
++ return bool(_code) ? opcode(opc) : MAX_OPCODE;
+ }
+
+
+ void Machine::Code::decoder::analyse_opcode(const opcode opc, const int8 * arg) throw()
+ {
+- if (_code._constraint) return;
+-
+ switch (opc)
+ {
+ case DELETE :
+ _code._delete = true;
+ break;
++ case ASSOC :
++ set_changed(0);
++// for (uint8 num = arg[0]; num; --num)
++// _analysis.set_noref(num);
++ break;
+ case PUT_GLYPH_8BIT_OBS :
+ case PUT_GLYPH :
+ _code._modify = true;
+- _analysis.set_changed(0);
++ set_changed(0);
+ break;
+ case ATTR_SET :
+ case ATTR_ADD :
++ case ATTR_SUB :
+ case ATTR_SET_SLOT :
+ case IATTR_SET_SLOT :
+ case IATTR_SET :
+ case IATTR_ADD :
+ case IATTR_SUB :
+- _analysis.set_noref(0);
++ set_noref(0);
+ break;
+ case NEXT :
+ case COPY_NEXT :
+- if (!_analysis.contexts[_analysis.slotref].flags.inserted)
+- ++_analysis.slotref;
+- _analysis.contexts[_analysis.slotref] = context(_code._instr_count+1);
++ ++_slotref;
++ _contexts[_slotref] = context(_code._instr_count+1);
+ // if (_analysis.slotref > _analysis.max_ref) _analysis.max_ref = _analysis.slotref;
+ break;
+ case INSERT :
+- _analysis.contexts[_analysis.slotref].flags.inserted = true;
++ if (_slotref >= 0) --_slotref;
+ _code._modify = true;
+ break;
+ case PUT_SUBS_8BIT_OBS : // slotref on 1st parameter
+ case PUT_SUBS :
+ _code._modify = true;
+- _analysis.set_changed(0);
++ set_changed(0);
+ GR_FALLTHROUGH;
+ // no break
+ case PUT_COPY :
+- {
+- if (arg[0] != 0) { _analysis.set_changed(0); _code._modify = true; }
+- if (arg[0] <= 0 && -arg[0] <= _analysis.slotref - _analysis.contexts[_analysis.slotref].flags.inserted)
+- _analysis.set_ref(arg[0], true);
+- else if (arg[0] > 0)
+- _analysis.set_ref(arg[0], true);
++ if (arg[0] != 0) { set_changed(0); _code._modify = true; }
++ set_ref(arg[0]);
+ break;
+- }
+- case PUSH_ATT_TO_GATTR_OBS : // slotref on 2nd parameter
+- if (_code._constraint) return;
+- GR_FALLTHROUGH;
+- // no break
+ case PUSH_GLYPH_ATTR_OBS :
+ case PUSH_SLOT_ATTR :
+ case PUSH_GLYPH_METRIC :
++ case PUSH_ATT_TO_GATTR_OBS :
+ case PUSH_ATT_TO_GLYPH_METRIC :
+ case PUSH_ISLOT_ATTR :
+ case PUSH_FEAT :
+- if (arg[1] <= 0 && -arg[1] <= _analysis.slotref - _analysis.contexts[_analysis.slotref].flags.inserted)
+- _analysis.set_ref(arg[1], true);
+- else if (arg[1] > 0)
+- _analysis.set_ref(arg[1], true);
++ case SET_FEAT :
++ set_ref(arg[1]);
+ break;
+ case PUSH_ATT_TO_GLYPH_ATTR :
+- if (_code._constraint) return;
+- GR_FALLTHROUGH;
+- // no break
+ case PUSH_GLYPH_ATTR :
+- if (arg[2] <= 0 && -arg[2] <= _analysis.slotref - _analysis.contexts[_analysis.slotref].flags.inserted)
+- _analysis.set_ref(arg[2], true);
+- else if (arg[2] > 0)
+- _analysis.set_ref(arg[2], true);
+- break;
+- case ASSOC : // slotrefs in varargs
++ set_ref(arg[2]);
+ break;
+ default:
+ break;
+ }
+ }
+
+
+ bool Machine::Code::decoder::emit_opcode(opcode opc, const byte * & bc)
+@@ -579,81 +564,89 @@ bool Machine::Code::decoder::emit_opcode
+ _data += param_sz;
+ _code._data_size += param_sz;
+ }
+
+ // recursively decode a context item so we can split the skip into
+ // instruction and data portions.
+ if (opc == CNTXT_ITEM)
+ {
+- assert(_pre_context == 0);
++ assert(_out_index == 0);
+ _in_ctxt_item = true;
+- _pre_context = _max.pre_context + int8(_data[-2]);
+- _rule_length = _max.rule_length;
++ _out_index = _max.pre_context + int8(_data[-2]);
++ _slotref = int8(_data[-2]);
++ _out_length = _max.rule_length;
+
+ const size_t ctxt_start = _code._instr_count;
+ byte & instr_skip = _data[-1];
+ byte & data_skip = *_data++;
+ ++_code._data_size;
+ const byte *curr_end = _max.bytecode;
+
+ if (load(bc, bc + instr_skip))
+ {
+ bc += instr_skip;
+ data_skip = instr_skip - (_code._instr_count - ctxt_start);
+ instr_skip = _code._instr_count - ctxt_start;
+ _max.bytecode = curr_end;
+
+- _rule_length = 1;
+- _pre_context = 0;
++ _out_length = 1;
++ _out_index = 0;
++ _slotref = 0;
+ _in_ctxt_item = false;
+ }
+ else
+ {
+- _pre_context = 0;
++ _out_index = 0;
++ _slotref = 0;
+ return false;
+ }
+ }
+
+ return bool(_code);
+ }
+
+
+ void Machine::Code::decoder::apply_analysis(instr * const code, instr * code_end)
+ {
+ // insert TEMP_COPY commands for slots that need them (that change and are referenced later)
+ int tempcount = 0;
+ if (_code._constraint) return;
+
+ const instr temp_copy = Machine::getOpcodeTable()[TEMP_COPY].impl[0];
+- for (const context * c = _analysis.contexts, * const ce = c + _analysis.slotref; c != ce; ++c)
++ for (const context * c = _contexts, * const ce = c + _slotref; c < ce; ++c)
+ {
+ if (!c->flags.referenced || !c->flags.changed) continue;
+
+ instr * const tip = code + c->codeRef + tempcount;
+ memmove(tip+1, tip, (code_end - tip) * sizeof(instr));
+ *tip = temp_copy;
+ ++code_end;
+ ++tempcount;
+ _code._delete = true;
+ }
+
+ _code._instr_count = code_end - code;
+ }
+
+
+ inline
+-bool Machine::Code::decoder::validate_opcode(const opcode opc, const byte * const bc)
++bool Machine::Code::decoder::validate_opcode(const byte opc, const byte * const bc)
+ {
+ if (opc >= MAX_OPCODE)
+ {
+ failure(invalid_opcode);
+ return false;
+ }
+ const opcode_t & op = Machine::getOpcodeTable()[opc];
++ if (op.impl[_code._constraint] == 0)
++ {
++ failure(unimplemented_opcode_used);
++ return false;
++ }
+ if (op.param_sz == VARARGS && bc >= _max.bytecode)
+ {
+ failure(arguments_exhausted);
+ return false;
+ }
+ const size_t param_sz = op.param_sz == VARARGS ? bc[0] + 1 : op.param_sz;
+ if (bc - 1 + param_sz >= _max.bytecode)
+ {
+@@ -666,56 +659,69 @@ bool Machine::Code::decoder::validate_op
+
+ bool Machine::Code::decoder::valid_upto(const uint16 limit, const uint16 x) const throw()
+ {
+ const bool t = (limit != 0) && (x < limit);
+ if (!t) failure(out_of_range_data);
+ return t;
+ }
+
++inline
++bool Machine::Code::decoder::test_ref(int8 index) const throw()
++{
++ if (_code._constraint && !_in_ctxt_item)
++ {
++ if (index > 0 || -index > _max.pre_context)
++ {
++ failure(out_of_range_data);
++ return false;
++ }
++ }
++ else
++ return valid_upto(_max.rule_length, _slotref + _max.pre_context + index);
++ return true;
++}
++
+ bool Machine::Code::decoder::test_context() const throw()
+ {
+- if (_pre_context >= _rule_length || _analysis.slotref >= analysis::NUMCONTEXTS - 1)
++ if (_out_index >= _out_length || _out_index < 0 || _slotref >= NUMCONTEXTS - 1)
+ {
+ failure(out_of_range_data);
+ return false;
+ }
+ return true;
+ }
+
+ inline
+ void Machine::Code::failure(const status_t s) throw() {
+ release_buffers();
+ _status = s;
+ }
+
+
+ inline
+-void Machine::Code::decoder::analysis::set_ref(int index, bool incinsert) throw() {
+- if (incinsert && contexts[slotref].flags.inserted) --index;
+- if (index + slotref < 0 || index + slotref >= NUMCONTEXTS) return;
+- contexts[index + slotref].flags.referenced = true;
+- if ((index > 0 || !contexts[index + slotref].flags.inserted) && index + slotref > max_ref) max_ref = index + slotref;
++void Machine::Code::decoder::set_ref(int index) throw() {
++ if (index + _slotref < 0 || index + _slotref >= NUMCONTEXTS) return;
++ _contexts[index + _slotref].flags.referenced = true;
++ if (index + _slotref > _max_ref) _max_ref = index + _slotref;
+ }
+
+
+ inline
+-void Machine::Code::decoder::analysis::set_noref(int index) throw() {
+- if (contexts[slotref].flags.inserted) --index;
+- if (index + slotref < 0 || index + slotref >= NUMCONTEXTS) return;
+- if ((index > 0 || !contexts[index + slotref].flags.inserted) && index + slotref > max_ref) max_ref = index + slotref;
++void Machine::Code::decoder::set_noref(int index) throw() {
++ if (index + _slotref < 0 || index + _slotref >= NUMCONTEXTS) return;
++ if (index + _slotref > _max_ref) _max_ref = index + _slotref;
+ }
+
+
+ inline
+-void Machine::Code::decoder::analysis::set_changed(int index) throw() {
+- if (contexts[slotref].flags.inserted) --index;
+- if (index + slotref < 0 || index + slotref >= NUMCONTEXTS) return;
+- contexts[index + slotref].flags.changed = true;
+- if ((index > 0 || !contexts[index + slotref].flags.inserted) && index + slotref > max_ref) max_ref = index + slotref;
++void Machine::Code::decoder::set_changed(int index) throw() {
++ if (index + _slotref < 0 || index + _slotref >= NUMCONTEXTS) return;
++ _contexts[index + _slotref].flags.changed= true;
++ if (index + _slotref > _max_ref) _max_ref = index + _slotref;
+ }
+
+
+ void Machine::Code::release_buffers() throw()
+ {
+ if (_own)
+ free(_code);
+ _code = 0;
+diff --git a/gfx/graphite2/src/Collider.cpp b/gfx/graphite2/src/Collider.cpp
+--- a/gfx/graphite2/src/Collider.cpp
++++ b/gfx/graphite2/src/Collider.cpp
+@@ -21,17 +21,17 @@
+
+ Alternatively, the contents of this file may be used under the terms of the
+ Mozilla Public License (http://mozilla.org/MPL) or the GNU General Public
+ License, as published by the Free Software Foundation, either version 2
+ of the License or (at your option) any later version.
+ */
+ #include <algorithm>
+ #include <limits>
+-#include <math.h>
++#include <cmath>
+ #include <string>
+ #include <functional>
+ #include "inc/Collider.h"
+ #include "inc/Segment.h"
+ #include "inc/Slot.h"
+ #include "inc/GlyphCache.h"
+ #include "inc/Sparse.h"
+
+@@ -824,43 +824,43 @@ bool KernCollider::initSlot(Segment *seg
+ if (margin < 10) margin = 10;
+
+ _limit = limit;
+ _offsetPrev = offsetPrev; // kern from a previous pass
+
+ // Calculate the height of the glyph and how many horizontal slices to use.
+ if (_maxy >= 1e37f)
+ {
+- _maxy = ymax;
+- _miny = ymin;
+ _sliceWidth = margin / 1.5f;
++ _maxy = ymax + margin;
++ _miny = ymin - margin;
+ numSlices = int((_maxy - _miny + 2) / (_sliceWidth / 1.5f) + 1.f); // +2 helps with rounding errors
+ _edges.clear();
+ _edges.insert(_edges.begin(), numSlices, (dir & 1) ? 1e38f : -1e38f);
+ _xbound = (dir & 1) ? (float)1e38f : (float)-1e38f;
+ }
+ else if (_maxy != ymax || _miny != ymin)
+ {
+ if (_miny != ymin)
+ {
+- numSlices = int((ymin - _miny) / _sliceWidth - 1);
++ numSlices = int((ymin - margin - _miny) / _sliceWidth - 1);
+ _miny += numSlices * _sliceWidth;
+ if (numSlices < 0)
+ _edges.insert(_edges.begin(), -numSlices, (dir & 1) ? 1e38f : -1e38f);
+ else if ((unsigned)numSlices < _edges.size()) // this shouldn't fire since we always grow the range
+ {
+ Vector<float>::iterator e = _edges.begin();
+ while (numSlices--)
+ ++e;
+ _edges.erase(_edges.begin(), e);
+ }
+ }
+ if (_maxy != ymax)
+ {
+- numSlices = int((ymax - _miny) / _sliceWidth + 1);
++ numSlices = int((ymax + margin - _miny) / _sliceWidth + 1);
+ _maxy = numSlices * _sliceWidth + _miny;
+ if (numSlices > (int)_edges.size())
+ _edges.insert(_edges.end(), numSlices - _edges.size(), (dir & 1) ? 1e38f : -1e38f);
+ else if (numSlices < (int)_edges.size()) // this shouldn't fire since we always grow the range
+ {
+ while ((int)_edges.size() > numSlices)
+ _edges.pop_back();
+ }
+@@ -930,53 +930,60 @@ bool KernCollider::initSlot(Segment *seg
+ // Return false if we know there is no collision, true if we think there might be one.
+ bool KernCollider::mergeSlot(Segment *seg, Slot *slot, const Position &currShift, float currSpace, int dir, GR_MAYBE_UNUSED json * const dbgout)
+ {
+ int rtl = (dir & 1) * 2 - 1;
+ if (!seg->getFace()->glyphs().check(slot->gid()))
+ return false;
+ const Rect &bb = seg->theGlyphBBoxTemporary(slot->gid());
+ const float sx = slot->origin().x + currShift.x;
+- float x = sx + (rtl > 0 ? bb.tr.x : bb.bl.x);
++ float x = (sx + (rtl > 0 ? bb.tr.x : bb.bl.x)) * rtl;
+ // this isn't going to reduce _mingap so skip
+- if ((rtl > 0 && x < _xbound - _mingap - currSpace) || (rtl <= 0 && x > _xbound + _mingap + currSpace))
++ if (x < rtl * (_xbound - _mingap - currSpace))
+ return false;
+
+ const float sy = slot->origin().y + currShift.y;
+- int smin = max(0, int((bb.bl.y + (1 - _miny + sy)) / _sliceWidth + 1));
+- int smax = min((int)_edges.size() - 1, int((bb.tr.y + (1 - _miny + sy)) / _sliceWidth + 1));
++ int smin = max(1, int((bb.bl.y + (1 - _miny + sy)) / _sliceWidth + 1)) - 1;
++ int smax = min((int)_edges.size() - 2, int((bb.tr.y + (1 - _miny + sy)) / _sliceWidth + 1)) + 1;
++ if (smin > smax)
++ return false;
+ bool collides = false;
++ float below = smin > 0 ? _edges[smin-1] * rtl : 1e38f;
++ float here = _edges[smin] * rtl;
++ float above = smin < (int)_edges.size() - 1 ? _edges[smin+1] * rtl : 1e38f;
+
+ for (int i = smin; i <= smax; ++i)
+ {
+ float t;
+ float y = (float)(_miny - 1 + (i + .5f) * _sliceWidth); // vertical center of slice
+- if (x * rtl > _edges[i] * rtl - _mingap - currSpace)
++ if ( (x > here - _mingap - currSpace)
++ || (x > below - _mingap - currSpace)
++ || (x > above - _mingap - currSpace))
+ {
+ // 2 * currSpace to account for the space that is already separating them and the space we want to add
+- float m = get_edge(seg, slot, currShift, y, _sliceWidth, rtl > 0) + 2 * rtl * currSpace;
+- t = rtl * (_edges[i] - m);
++ float m = get_edge(seg, slot, currShift, y, _sliceWidth, rtl > 0) * rtl + 2 * currSpace;
+ // Check slices above and below (if any).
+- if (i < (int)_edges.size() - 1) t = min(t, rtl * (_edges[i+1] - m));
+- if (i > 0) t = min(t, rtl * (_edges[i-1] - m));
++ t = min(min(here, below), above) - m;
+ // _mingap is positive to shrink
+ if (t < _mingap)
+ {
+ _mingap = t;
+ collides = true;
+ }
+ #if !defined GRAPHITE2_NTRACING
+ // Debugging - remember the closest neighboring edge for this slice.
+- if (rtl * m > rtl * _nearEdges[i])
++ if (m > rtl * _nearEdges[i])
+ {
+ _slotNear[i] = slot;
+- _nearEdges[i] = m;
++ _nearEdges[i] = m * rtl;
+ }
+ #endif
+ }
++ below = here; here = above;
++ above = i < (int)_edges.size() - 2 ? _edges[i+2] * rtl : 1e38f;
+ }
+ return collides; // note that true is not a necessarily reliable value
+
+ } // end of KernCollider::mergeSlot
+
+
+ // Return the amount to kern by.
+ Position KernCollider::resolve(GR_MAYBE_UNUSED Segment *seg, GR_MAYBE_UNUSED Slot *slot,
+diff --git a/gfx/graphite2/src/Face.cpp b/gfx/graphite2/src/Face.cpp
+--- a/gfx/graphite2/src/Face.cpp
++++ b/gfx/graphite2/src/Face.cpp
+@@ -178,17 +178,18 @@ bool Face::runGraphite(Segment *seg, con
+ if ((seg->dir() & 3) == 3 && aSilf->bidiPass() == 0xFF)
+ seg->doMirror(aSilf->aMirror());
+ bool res = aSilf->runGraphite(seg, 0, aSilf->positionPass(), true);
+ if (res)
+ {
+ seg->associateChars(0, seg->charInfoCount());
+ if (aSilf->flags() & 0x20)
+ res &= seg->initCollisions();
+- res &= aSilf->runGraphite(seg, aSilf->positionPass(), aSilf->numPasses(), false);
++ if (res)
++ res &= aSilf->runGraphite(seg, aSilf->positionPass(), aSilf->numPasses(), false);
+ }
+
+ #if !defined GRAPHITE2_NTRACING
+ if (dbgout)
+ {
+ seg->positionSlots(0, 0, 0, aSilf->dir());
+ *dbgout << json::item
+ << json::close // Close up the passes array
+@@ -226,17 +227,17 @@ const Silf *Face::chooseSilf(uint32 scri
+ return m_silfs;
+ }
+
+ uint16 Face::findPseudo(uint32 uid) const
+ {
+ return (m_numSilf) ? m_silfs[0].findPseudo(uid) : 0;
+ }
+
+-uint16 Face::getGlyphMetric(uint16 gid, uint8 metric) const
++int32 Face::getGlyphMetric(uint16 gid, uint8 metric) const
+ {
+ switch (metrics(metric))
+ {
+ case kgmetAscent : return m_ascent;
+ case kgmetDescent : return m_descent;
+ default:
+ if (gid >= glyphs().numGlyphs()) return 0;
+ return glyphs().glyph(gid)->getMetric(metric);
+@@ -277,17 +278,17 @@ Face::Table::Table(const Face & face, co
+ : _f(&face), _compressed(false)
+ {
+ size_t sz = 0;
+ _p = static_cast<const byte *>((*_f->m_ops.get_table)(_f->m_appFaceHandle, n, &sz));
+ _sz = uint32(sz);
+
+ if (!TtfUtil::CheckTable(n, _p, _sz))
+ {
+- this->~Table(); // Make sure we release the table buffer even if the table filed it's checks
++ releaseBuffers(); // Make sure we release the table buffer even if the table failed it's checks
+ return;
+ }
+
+ if (be::peek<uint32>(_p) >= version)
+ decompress();
+ }
+
+ void Face::Table::releaseBuffers()
+@@ -324,17 +325,18 @@ Error Face::Table::decompress()
+ switch(compression(hdr >> 27))
+ {
+ case NONE: return e;
+
+ case LZ4:
+ {
+ uncompressed_size = hdr & 0x07ffffff;
+ uncompressed_table = gralloc<byte>(uncompressed_size);
+- if (!e.test(!uncompressed_table, E_OUTOFMEM))
++ if (!e.test(!uncompressed_table || uncompressed_size < 4, E_OUTOFMEM))
++ memset(uncompressed_table, 0, 4); // make sure version number is initialised
+ // coverity[forward_null : FALSE] - uncompressed_table has been checked so can't be null
+ // coverity[checked_return : FALSE] - we test e later
+ e.test(lz4::decompress(p, _sz - 2*sizeof(uint32), uncompressed_table, uncompressed_size) != signed(uncompressed_size), E_SHRINKERFAILED);
+ break;
+ }
+
+ default:
+ e.error(E_BADSCHEME);
+diff --git a/gfx/graphite2/src/GlyphCache.cpp b/gfx/graphite2/src/GlyphCache.cpp
+--- a/gfx/graphite2/src/GlyphCache.cpp
++++ b/gfx/graphite2/src/GlyphCache.cpp
+@@ -111,18 +111,20 @@ private:
+ _num_glyphs_attributes,
+ _num_attrs; // number of glyph attributes per glyph
+ };
+
+
+
+ GlyphCache::GlyphCache(const Face & face, const uint32 face_options)
+ : _glyph_loader(new Loader(face, bool(face_options & gr_face_dumbRendering))),
+- _glyphs(_glyph_loader && *_glyph_loader ? grzeroalloc<const GlyphFace *>(_glyph_loader->num_glyphs()) : 0),
+- _boxes(_glyph_loader && _glyph_loader->has_boxes() ? grzeroalloc<GlyphBox *>(_glyph_loader->num_glyphs()) : 0),
++ _glyphs(_glyph_loader && *_glyph_loader && _glyph_loader->num_glyphs()
++ ? grzeroalloc<const GlyphFace *>(_glyph_loader->num_glyphs()) : 0),
++ _boxes(_glyph_loader && _glyph_loader->has_boxes() && _glyph_loader->num_glyphs()
++ ? grzeroalloc<GlyphBox *>(_glyph_loader->num_glyphs()) : 0),
+ _num_glyphs(_glyphs ? _glyph_loader->num_glyphs() : 0),
+ _num_attrs(_glyphs ? _glyph_loader->num_attrs() : 0),
+ _upem(_glyphs ? _glyph_loader->units_per_em() : 0)
+ {
+ if ((face_options & gr_face_preloadGlyphs) && _glyph_loader && _glyphs)
+ {
+ int numsubs = 0;
+ GlyphFace * const glyphs = new GlyphFace [_num_glyphs];
+@@ -139,17 +141,17 @@ GlyphCache::GlyphCache(const Face & face
+ for (uint16 gid = 1; loaded && gid != _num_glyphs; ++gid)
+ _glyphs[gid] = loaded = _glyph_loader->read_glyph(gid, glyphs[gid], &numsubs);
+
+ if (!loaded)
+ {
+ _glyphs[0] = 0;
+ delete [] glyphs;
+ }
+- else if (numsubs > 0)
++ else if (numsubs > 0 && _boxes)
+ {
+ GlyphBox * boxes = (GlyphBox *)gralloc<char>(_num_glyphs * sizeof(GlyphBox) + numsubs * 8 * sizeof(float));
+ GlyphBox * currbox = boxes;
+
+ for (uint16 gid = 0; currbox && gid != _num_glyphs; ++gid)
+ {
+ _boxes[gid] = currbox;
+ currbox = _glyph_loader->read_box(gid, currbox, *_glyphs[gid]);
+@@ -204,16 +206,18 @@ GlyphCache::~GlyphCache()
+ free(_boxes[0]);
+ free(_boxes);
+ }
+ delete _glyph_loader;
+ }
+
+ const GlyphFace *GlyphCache::glyph(unsigned short glyphid) const //result may be changed by subsequent call with a different glyphid
+ {
++ if (glyphid >= numGlyphs())
++ return _glyphs[0];
+ const GlyphFace * & p = _glyphs[glyphid];
+ if (p == 0 && _glyph_loader)
+ {
+ int numsubs = 0;
+ GlyphFace * g = new GlyphFace();
+ if (g) p = _glyph_loader->read_glyph(glyphid, *g, &numsubs);
+ if (!p)
+ {
+@@ -280,26 +284,27 @@ GlyphCache::Loader::Loader(const Face &
+ _long_fmt = flags & 1;
+ int tmpnumgattrs = (m_pGloc.size()
+ - (p - m_pGloc)
+ - sizeof(uint16)*(flags & 0x2 ? _num_attrs : 0))
+ / (_long_fmt ? sizeof(uint32) : sizeof(uint16)) - 1;
+
+ if (version >= 0x00020000 || tmpnumgattrs < 0 || tmpnumgattrs > 65535
+ || _num_attrs == 0 || _num_attrs > 0x3000 // is this hard limit appropriate?
+- || _num_glyphs_graphics > tmpnumgattrs)
++ || _num_glyphs_graphics > tmpnumgattrs
++ || m_pGlat.size() < 4)
+ {
+ _head = Face::Table();
+ return;
+ }
+
+ _num_glyphs_attributes = static_cast<unsigned short>(tmpnumgattrs);
+ p = m_pGlat;
+ version = be::read<uint32>(p);
+- if (version >= 0x00040000) // reject Glat tables that are too new
++ if (version >= 0x00040000 || (version >= 0x00030000 && m_pGlat.size() < 8)) // reject Glat tables that are too new
+ {
+ _head = Face::Table();
+ return;
+ }
+ else if (version >= 0x00030000)
+ {
+ unsigned int glatflags = be::read<uint32>(p);
+ _has_boxes = glatflags & 1;
+@@ -381,22 +386,24 @@ const GlyphFace * GlyphCache::Loader::re
+ }
+ else
+ {
+ be::skip<uint16>(gloc, glyphid);
+ glocs = be::read<uint16>(gloc);
+ gloce = be::peek<uint16>(gloc);
+ }
+
+- if (glocs >= m_pGlat.size() || gloce > m_pGlat.size())
++ if (glocs >= m_pGlat.size() - 1 || gloce > m_pGlat.size())
+ return 0;
+
+ const uint32 glat_version = be::peek<uint32>(m_pGlat);
+- if (glat_version == 0x00030000)
++ if (glat_version >= 0x00030000)
+ {
++ if (glocs >= gloce)
++ return 0;
+ const byte * p = m_pGlat + glocs;
+ uint16 bmap = be::read<uint16>(p);
+ int num = bit_set_count((uint32)bmap);
+ if (numsubs) *numsubs += num;
+ glocs += 6 + 8 * num;
+ if (glocs > gloce)
+ return 0;
+ }
+@@ -449,29 +456,31 @@ GlyphBox * GlyphCache::Loader::read_box(
+ }
+ else
+ {
+ be::skip<uint16>(gloc, gid);
+ glocs = be::read<uint16>(gloc);
+ gloce = be::peek<uint16>(gloc);
+ }
+
+- if (glocs >= m_pGlat.size() || gloce > m_pGlat.size())
++ if (gloce > m_pGlat.size() || glocs + 6 >= gloce)
+ return 0;
+
+ const byte * p = m_pGlat + glocs;
+ uint16 bmap = be::read<uint16>(p);
+ int num = bit_set_count((uint32)bmap);
+
+ Rect bbox = glyph.theBBox();
+ Rect diamax(Position(bbox.bl.x + bbox.bl.y, bbox.bl.x - bbox.tr.y),
+ Position(bbox.tr.x + bbox.tr.y, bbox.tr.x - bbox.bl.y));
+ Rect diabound = readbox(diamax, p[0], p[2], p[1], p[3]);
+ ::new (curr) GlyphBox(num, bmap, &diabound);
+ be::skip<uint8>(p, 4);
++ if (glocs + 6 + num * 8 >= gloce)
++ return 0;
+
+ for (int i = 0; i < num * 2; ++i)
+ {
+ Rect box = readbox((i & 1) ? diamax : bbox, p[0], p[2], p[1], p[3]);
+ curr->addSubBox(i >> 1, i & 1, &box);
+ be::skip<uint8>(p, 4);
+ }
+ return (GlyphBox *)((char *)(curr) + sizeof(GlyphBox) + 2 * num * sizeof(Rect));
+diff --git a/gfx/graphite2/src/GlyphFace.cpp b/gfx/graphite2/src/GlyphFace.cpp
+--- a/gfx/graphite2/src/GlyphFace.cpp
++++ b/gfx/graphite2/src/GlyphFace.cpp
+@@ -24,25 +24,25 @@ Mozilla Public License (http://mozilla.o
+ License, as published by the Free Software Foundation, either version 2
+ of the License or (at your option) any later version.
+ */
+ #include "inc/GlyphFace.h"
+
+
+ using namespace graphite2;
+
+-uint16 GlyphFace::getMetric(uint8 metric) const
++int32 GlyphFace::getMetric(uint8 metric) const
+ {
+ switch (metrics(metric))
+ {
+- case kgmetLsb : return static_cast<uint16>(m_bbox.bl.x);
+- case kgmetRsb : return static_cast<uint16>(m_advance.x - m_bbox.tr.x);
+- case kgmetBbTop : return static_cast<uint16>(m_bbox.tr.y);
+- case kgmetBbBottom : return static_cast<uint16>(m_bbox.bl.y);
+- case kgmetBbLeft : return static_cast<uint16>(m_bbox.bl.x);
+- case kgmetBbRight : return static_cast<uint16>(m_bbox.tr.x);
+- case kgmetBbHeight : return static_cast<uint16>(m_bbox.tr.y - m_bbox.bl.y);
+- case kgmetBbWidth : return static_cast<uint16>(m_bbox.tr.x - m_bbox.bl.x);
+- case kgmetAdvWidth : return static_cast<uint16>(m_advance.x);
+- case kgmetAdvHeight : return static_cast<uint16>(m_advance.y);
++ case kgmetLsb : return m_bbox.bl.x;
++ case kgmetRsb : return m_advance.x - m_bbox.tr.x;
++ case kgmetBbTop : return m_bbox.tr.y;
++ case kgmetBbBottom : return m_bbox.bl.y;
++ case kgmetBbLeft : return m_bbox.bl.x;
++ case kgmetBbRight : return m_bbox.tr.x;
++ case kgmetBbHeight : return m_bbox.tr.y - m_bbox.bl.y;
++ case kgmetBbWidth : return m_bbox.tr.x - m_bbox.bl.x;
++ case kgmetAdvWidth : return m_advance.x;
++ case kgmetAdvHeight : return m_advance.y;
+ default : return 0;
+ }
+ }
+diff --git a/gfx/graphite2/src/Justifier.cpp b/gfx/graphite2/src/Justifier.cpp
+--- a/gfx/graphite2/src/Justifier.cpp
++++ b/gfx/graphite2/src/Justifier.cpp
+@@ -95,62 +95,63 @@ float Segment::justify(Slot *pSlot, cons
+
+ end = pLast->nextSibling();
+ pFirst = pFirst->nextSibling();
+
+ int icount = 0;
+ int numLevels = silf()->numJustLevels();
+ if (!numLevels)
+ {
+- for (s = pSlot; s != end; s = s->next())
++ for (s = pSlot; s && s != end; s = s->nextSibling())
+ {
+ CharInfo *c = charinfo(s->before());
+ if (isWhitespace(c->unicodeChar()))
+ {
+ s->setJustify(this, 0, 3, 1);
+ s->setJustify(this, 0, 2, 1);
+ s->setJustify(this, 0, 0, -1);
+ ++icount;
+ }
+ }
+ if (!icount)
+ {
+- for (s = pSlot; s != end; s = s->nextSibling())
++ for (s = pSlot; s && s != end; s = s->nextSibling())
+ {
+ s->setJustify(this, 0, 3, 1);
+ s->setJustify(this, 0, 2, 1);
+ s->setJustify(this, 0, 0, -1);
+ }
+ }
+ ++numLevels;
+ }
+
+ Vector<JustifyTotal> stats(numLevels);
+- for (s = pFirst; s != end; s = s->nextSibling())
++ for (s = pFirst; s && s != end; s = s->nextSibling())
+ {
+ float w = s->origin().x / scale + s->advance() - base;
+ if (w > currWidth) currWidth = w;
+ for (int j = 0; j < numLevels; ++j)
+ stats[j].accumulate(s, this, j);
+ s->just(0);
+ }
+
+ for (int i = (width < 0.0f) ? -1 : numLevels - 1; i >= 0; --i)
+ {
+ float diff;
+ float error = 0.;
+ float diffpw;
+ int tWeight = stats[i].weight();
++ if (tWeight == 0) continue;
+
+ do {
+ error = 0.;
+ diff = width - currWidth;
+ diffpw = diff / tWeight;
+ tWeight = 0;
+- for (s = pFirst; s != end; s = s->nextSibling()) // don't include final glyph
++ for (s = pFirst; s && s != end; s = s->nextSibling()) // don't include final glyph
+ {
+ int w = s->getJustify(this, i, 3);
+ float pref = diffpw * w + error;
+ int step = s->getJustify(this, i, 2);
+ if (!step) step = 1; // handle lazy font developers
+ if (pref > 0)
+ {
+ float max = uint16(s->getJustify(this, i, 0));
+diff --git a/gfx/graphite2/src/NameTable.cpp b/gfx/graphite2/src/NameTable.cpp
+--- a/gfx/graphite2/src/NameTable.cpp
++++ b/gfx/graphite2/src/NameTable.cpp
+@@ -42,25 +42,26 @@ NameTable::NameTable(const void* data, s
+ memcpy(pdata, data, length);
+ m_table = reinterpret_cast<const TtfUtil::Sfnt::FontNames*>(pdata);
+
+ if ((length > sizeof(TtfUtil::Sfnt::FontNames)) &&
+ (length > sizeof(TtfUtil::Sfnt::FontNames) +
+ sizeof(TtfUtil::Sfnt::NameRecord) * ( be::swap<uint16>(m_table->count) - 1)))
+ {
+ uint16 offset = be::swap<uint16>(m_table->string_offset);
+- m_nameData = reinterpret_cast<const uint8*>(pdata) + offset;
+- setPlatformEncoding(platformId, encodingID);
+- m_nameDataLength = length - offset;
++ if (offset < length)
++ {
++ m_nameData = reinterpret_cast<const uint8*>(pdata) + offset;
++ setPlatformEncoding(platformId, encodingID);
++ m_nameDataLength = length - offset;
++ return;
++ }
+ }
+- else
+- {
+- free(const_cast<TtfUtil::Sfnt::FontNames*>(m_table));
+- m_table = NULL;
+- }
++ free(const_cast<TtfUtil::Sfnt::FontNames*>(m_table));
++ m_table = NULL;
+ }
+
+ uint16 NameTable::setPlatformEncoding(uint16 platformId, uint16 encodingID)
+ {
+ if (!m_nameData) return 0;
+ uint16 i = 0;
+ uint16 count = be::swap<uint16>(m_table->count);
+ for (; i < count; i++)
+@@ -139,28 +140,36 @@ void* NameTable::getName(uint16& languag
+ uint16 offset = be::swap<uint16>(nameRecord.offset);
+ if(offset + utf16Length > m_nameDataLength)
+ {
+ languageId = 0;
+ length = 0;
+ return NULL;
+ }
+ utf16Length >>= 1; // in utf16 units
+- utf16::codeunit_t * utf16Name = gralloc<utf16::codeunit_t>(utf16Length);
++ utf16::codeunit_t * utf16Name = gralloc<utf16::codeunit_t>(utf16Length + 1);
+ if (!utf16Name)
+ {
+ languageId = 0;
+ length = 0;
+ return NULL;
+ }
+ const uint8* pName = m_nameData + offset;
+ for (size_t i = 0; i < utf16Length; i++)
+ {
+ utf16Name[i] = be::read<uint16>(pName);
+ }
++ utf16Name[utf16Length] = 0;
++ if (!utf16::validate(utf16Name, utf16Name + utf16Length))
++ {
++ free(utf16Name);
++ languageId = 0;
++ length = 0;
++ return NULL;
++ }
+ switch (enc)
+ {
+ case gr_utf8:
+ {
+ utf8::codeunit_t* uniBuffer = gralloc<utf8::codeunit_t>(3 * utf16Length + 1);
+ if (!uniBuffer)
+ {
+ free(utf16Name);
+diff --git a/gfx/graphite2/src/Pass.cpp b/gfx/graphite2/src/Pass.cpp
+--- a/gfx/graphite2/src/Pass.cpp
++++ b/gfx/graphite2/src/Pass.cpp
+@@ -96,17 +96,17 @@ bool Pass::readPass(const byte * const p
+ const byte * p = pass_start,
+ * const pass_end = p + pass_length;
+ size_t numRanges;
+
+ if (e.test(pass_length < 40, E_BADPASSLENGTH)) return face.error(e);
+ // Read in basic values
+ const byte flags = be::read<byte>(p);
+ if (e.test((flags & 0x1f) &&
+- (pt < PASS_TYPE_POSITIONING || !m_silf->aCollision() || !face.glyphs().hasBoxes()),
++ (pt < PASS_TYPE_POSITIONING || !m_silf->aCollision() || !face.glyphs().hasBoxes() || !(m_silf->flags() & 0x20)),
+ E_BADCOLLISIONPASS))
+ return face.error(e);
+ m_numCollRuns = flags & 0x7;
+ m_kernColls = (flags >> 3) & 0x3;
+ m_isReverseDir = (flags >> 5) & 0x1;
+ m_iMaxLoop = be::read<byte>(p);
+ if (m_iMaxLoop < 1) m_iMaxLoop = 1;
+ be::skip<byte>(p,2); // skip maxContext & maxBackup
+@@ -226,17 +226,21 @@ bool Pass::readRules(const byte * rule_m
+ // Load rules.
+ const byte * ac_begin = 0, * rc_begin = 0,
+ * ac_end = ac_data + be::peek<uint16>(o_action),
+ * rc_end = rc_data + be::peek<uint16>(o_constraint);
+
+ // Allocate pools
+ m_rules = new Rule [m_numRules];
+ m_codes = new Code [m_numRules*2];
+- const size_t prog_pool_sz = vm::Machine::Code::estimateCodeDataOut(ac_end - ac_data + rc_end - rc_data);
++ int totalSlots = 0;
++ const uint16 *tsort = sort_key;
++ for (int i = 0; i < m_numRules; ++i)
++ totalSlots += be::peek<uint16>(--tsort);
++ const size_t prog_pool_sz = vm::Machine::Code::estimateCodeDataOut(ac_end - ac_data + rc_end - rc_data, 2 * m_numRules, totalSlots);
+ m_progs = gralloc<byte>(prog_pool_sz);
+ byte * prog_pool_free = m_progs,
+ * prog_pool_end = m_progs + prog_pool_sz;
+ if (e.test(!(m_rules && m_codes && m_progs), E_OUTOFMEM)) return face.error(e);
+
+ Rule * r = m_rules + m_numRules - 1;
+ for (size_t n = m_numRules; r >= m_rules; --n, --r, ac_end = ac_begin, rc_end = rc_begin)
+ {
+@@ -249,17 +253,17 @@ bool Pass::readRules(const byte * rule_m
+ if (r->sort > 63 || r->preContext >= r->sort || r->preContext > m_maxPreCtxt || r->preContext < m_minPreCtxt)
+ return false;
+ ac_begin = ac_data + be::peek<uint16>(--o_action);
+ --o_constraint;
+ rc_begin = be::peek<uint16>(o_constraint) ? rc_data + be::peek<uint16>(o_constraint) : rc_end;
+
+ if (ac_begin > ac_end || ac_begin > ac_data_end || ac_end > ac_data_end
+ || rc_begin > rc_end || rc_begin > rc_data_end || rc_end > rc_data_end
+- || vm::Machine::Code::estimateCodeDataOut(ac_end - ac_begin + rc_end - rc_begin) > size_t(prog_pool_end - prog_pool_free))
++ || vm::Machine::Code::estimateCodeDataOut(ac_end - ac_begin + rc_end - rc_begin, 2, r->sort) > size_t(prog_pool_end - prog_pool_free))
+ return false;
+ r->action = new (m_codes+n*2-2) vm::Machine::Code(false, ac_begin, ac_end, r->preContext, r->sort, *m_silf, face, pt, &prog_pool_free);
+ r->constraint = new (m_codes+n*2-1) vm::Machine::Code(true, rc_begin, rc_end, r->preContext, r->sort, *m_silf, face, pt, &prog_pool_free);
+
+ if (e.test(!r->action || !r->constraint, E_OUTOFMEM)
+ || e.test(r->action->status() != Code::loaded, r->action->status() + E_CODEFAILURE)
+ || e.test(r->constraint->status() != Code::loaded, r->constraint->status() + E_CODEFAILURE)
+ || e.test(!r->constraint->immutable(), E_MUTABLECCODE))
+@@ -330,17 +334,17 @@ bool Pass::readStates(const byte * start
+
+ // load state transition table.
+ for (uint16 * t = m_transitions,
+ * const t_end = t + m_numTransition*m_numColumns; t != t_end; ++t)
+ {
+ *t = be::read<uint16>(states);
+ if (e.test(*t >= m_numStates, E_BADSTATE))
+ {
+- face.error_context((face.error_context() & 0xFFFF00) + EC_ATRANS + (((t - m_transitions) / m_numColumns) << 24));
++ face.error_context((face.error_context() & 0xFFFF00) + EC_ATRANS + (((t - m_transitions) / m_numColumns) << 8));
+ return face.error(e);
+ }
+ }
+
+ State * s = m_states,
+ * const success_begin = m_states + m_numStates - m_numSuccess;
+ const RuleEntry * rule_map_end = m_ruleMap + be::peek<uint16>(o_rule_map + m_numSuccess*sizeof(uint16));
+ for (size_t n = m_numStates; n; --n, ++s)
+@@ -351,17 +355,18 @@ bool Pass::readStates(const byte * start
+ if (e.test(begin >= rule_map_end || end > rule_map_end || begin > end, E_BADRULEMAPPING))
+ {
+ face.error_context((face.error_context() & 0xFFFF00) + EC_ARULEMAP + (n << 24));
+ return face.error(e);
+ }
+ s->rules = begin;
+ s->rules_end = (end - begin <= FiniteStateMachine::MAX_RULES)? end :
+ begin + FiniteStateMachine::MAX_RULES;
+- qsort(begin, end - begin, sizeof(RuleEntry), &cmpRuleEntry);
++ if (begin) // keep UBSan happy can't call qsort with null begin
++ qsort(begin, end - begin, sizeof(RuleEntry), &cmpRuleEntry);
+ }
+
+ return true;
+ }
+
+ bool Pass::readRanges(const byte * ranges, size_t num_ranges, Error &e)
+ {
+ m_cols = gralloc<uint16>(m_numGlyphs);
+@@ -449,19 +454,19 @@ bool Pass::runFSM(FiniteStateMachine& fs
+ if (fsm.slots.context() < m_minPreCtxt)
+ return false;
+
+ uint16 state = m_startStates[m_maxPreCtxt - fsm.slots.context()];
+ uint8 free_slots = SlotMap::MAX_SLOTS;
+ do
+ {
+ fsm.slots.pushSlot(slot);
+- if (--free_slots == 0
+- || slot->gid() >= m_numGlyphs
++ if (slot->gid() >= m_numGlyphs
+ || m_cols[slot->gid()] == 0xffffU
++ || --free_slots == 0
+ || state >= m_numTransition)
+ return free_slots != 0;
+
+ const uint16 * transitions = m_transitions + state*m_numColumns;
+ state = transitions[m_cols[slot->gid()]];
+ if (state >= m_successStart)
+ fsm.rules.accumulate_rules(m_states[state]);
+
+@@ -627,37 +632,40 @@ bool Pass::testPassConstraint(Machine &
+ }
+
+
+ bool Pass::testConstraint(const Rule & r, Machine & m) const
+ {
+ const uint16 curr_context = m.slotMap().context();
+ if (unsigned(r.sort - r.preContext) > m.slotMap().size() - curr_context
+ || curr_context - r.preContext < 0) return false;
++
++ vm::slotref * map = m.slotMap().begin() + curr_context - r.preContext;
++ if (map[r.sort - 1] == 0)
++ return false;
++
+ if (!*r.constraint) return true;
+ assert(r.constraint->constraint());
+-
+- vm::slotref * map = m.slotMap().begin() + curr_context - r.preContext;
+ for (int n = r.sort; n && map; --n, ++map)
+ {
+ if (!*map) continue;
+ const int32 ret = r.constraint->run(m, map);
+ if (!ret || m.status() != Machine::finished)
+ return false;
+ }
+
+ return true;
+ }
+
+
+ void SlotMap::collectGarbage(Slot * &aSlot)
+ {
+ for(Slot **s = begin(), *const *const se = end() - 1; s != se; ++s) {
+ Slot *& slot = *s;
+- if(slot->isDeleted() || slot->isCopied())
++ if(slot && (slot->isDeleted() || slot->isCopied()))
+ {
+ if (slot == aSlot)
+ aSlot = slot->prev() ? slot->prev() : slot->next();
+ segment.freeSlot(slot);
+ }
+ }
+ }
+
+@@ -848,17 +856,16 @@ bool Pass::collisionShift(Segment *seg,
+ }
+ }
+ }
+ return true;
+ }
+
+ bool Pass::collisionKern(Segment *seg, int dir, json * const dbgout) const
+ {
+- KernCollider kerncoll(dbgout);
+ Slot *start = seg->first();
+ float ymin = 1e38f;
+ float ymax = -1e38f;
+ const GlyphCache &gc = seg->getFace()->glyphs();
+
+ // phase 3 : handle kerning of clusters
+ #if !defined GRAPHITE2_NTRACING
+ if (dbgout)
+@@ -871,17 +878,17 @@ bool Pass::collisionKern(Segment *seg, i
+ return false;
+ const SlotCollision * c = seg->collisionInfo(s);
+ const Rect &bbox = seg->theGlyphBBoxTemporary(s->gid());
+ float y = s->origin().y + c->shift().y;
+ ymax = max(y + bbox.tr.y, ymax);
+ ymin = min(y + bbox.bl.y, ymin);
+ if (start && (c->flags() & (SlotCollision::COLL_KERN | SlotCollision::COLL_FIX))
+ == (SlotCollision::COLL_KERN | SlotCollision::COLL_FIX))
+- resolveKern(seg, s, start, kerncoll, dir, ymin, ymax, dbgout);
++ resolveKern(seg, s, start, dir, ymin, ymax, dbgout);
+ if (c->flags() & SlotCollision::COLL_END)
+ start = NULL;
+ if (c->flags() & SlotCollision::COLL_START)
+ start = s;
+ }
+
+ #if !defined GRAPHITE2_NTRACING
+ if (dbgout)
+@@ -1010,17 +1017,17 @@ bool Pass::resolveCollisions(Segment *se
+ if (isCol)
+ { cFix->setFlags(cFix->flags() | SlotCollision::COLL_ISCOL | SlotCollision::COLL_KNOWN); }
+ else
+ { cFix->setFlags((cFix->flags() & ~SlotCollision::COLL_ISCOL) | SlotCollision::COLL_KNOWN); }
+ hasCol |= isCol;
+ return true;
+ }
+
+-float Pass::resolveKern(Segment *seg, Slot *slotFix, GR_MAYBE_UNUSED Slot *start, KernCollider &coll, int dir,
++float Pass::resolveKern(Segment *seg, Slot *slotFix, GR_MAYBE_UNUSED Slot *start, int dir,
+ float &ymin, float &ymax, json *const dbgout) const
+ {
+ Slot *nbor; // neighboring slot
+ float currSpace = 0.;
+ bool collides = false;
+ unsigned int space_count = 0;
+ Slot *base = slotFix;
+ while (base->attachedTo())
+@@ -1030,16 +1037,17 @@ float Pass::resolveKern(Segment *seg, Sl
+
+ if (base != slotFix)
+ {
+ cFix->setFlags(cFix->flags() | SlotCollision::COLL_KERN | SlotCollision::COLL_FIX);
+ return 0;
+ }
+ bool seenEnd = (cFix->flags() & SlotCollision::COLL_END) != 0;
+ bool isInit = false;
++ KernCollider coll(dbgout);
+
+ for (nbor = slotFix->next(); nbor; nbor = nbor->next())
+ {
+ if (nbor->isChildOf(base))
+ continue;
+ if (!gc.check(nbor->gid()))
+ return 0.;
+ const Rect &bb = seg->theGlyphBBoxTemporary(nbor->gid());
+diff --git a/gfx/graphite2/src/Segment.cpp b/gfx/graphite2/src/Segment.cpp
+--- a/gfx/graphite2/src/Segment.cpp
++++ b/gfx/graphite2/src/Segment.cpp
+@@ -419,16 +419,19 @@ Position Segment::positionSlots(const Fo
+ reverseSlots();
+ temp = iStart;
+ iStart = iEnd;
+ iEnd = temp;
+ }
+ if (!iStart) iStart = m_first;
+ if (!iEnd) iEnd = m_last;
+
++ if (!iStart || !iEnd) // only true for empty segments
++ return currpos;
++
+ if (isRtl)
+ {
+ for (Slot * s = iEnd, * const end = iStart->prev(); s && s != end; s = s->prev())
+ {
+ if (s->isBase())
+ currpos = s->finalise(this, font, currpos, bbox, 0, clusterMin = currpos.x, isRtl, isFinal);
+ }
+ }
+@@ -526,11 +529,14 @@ void Segment::doMirror(uint16 aMirror)
+ }
+
+ bool Segment::initCollisions()
+ {
+ m_collisions = grzeroalloc<SlotCollision>(slotCount());
+ if (!m_collisions) return false;
+
+ for (Slot *p = m_first; p; p = p->next())
+- ::new (collisionInfo(p)) SlotCollision(this, p);
++ if (p->index() < slotCount())
++ ::new (collisionInfo(p)) SlotCollision(this, p);
++ else
++ return false;
+ return true;
+ }
+diff --git a/gfx/graphite2/src/Silf.cpp b/gfx/graphite2/src/Silf.cpp
+--- a/gfx/graphite2/src/Silf.cpp
++++ b/gfx/graphite2/src/Silf.cpp
+@@ -350,20 +350,20 @@ uint16 Silf::getClassGlyph(uint16 cid, u
+ }
+ return 0;
+ }
+
+
+ bool Silf::runGraphite(Segment *seg, uint8 firstPass, uint8 lastPass, int dobidi) const
+ {
+ assert(seg != 0);
+- SlotMap map(*seg, m_dir);
++ unsigned int maxSize = seg->slotCount() * MAX_SEG_GROWTH_FACTOR;
++ SlotMap map(*seg, m_dir, maxSize);
+ FiniteStateMachine fsm(map, seg->getFace()->logger());
+ vm::Machine m(map);
+- unsigned int initSize = seg->slotCount();
+ uint8 lbidi = m_bPass;
+ #if !defined GRAPHITE2_NTRACING
+ json * const dbgout = seg->getFace()->logger();
+ #endif
+
+ if (lastPass == 0)
+ {
+ if (firstPass == lastPass && lbidi == 0xFF)
+@@ -419,13 +419,13 @@ bool Silf::runGraphite(Segment *seg, uin
+
+ // test whether to reorder, prepare for positioning
+ bool reverse = (lbidi == 0xFF) && (seg->currdir() != ((m_dir & 1) ^ m_passes[i].reverseDir()));
+ if ((i >= 32 || (seg->passBits() & (1 << i)) == 0 || m_passes[i].collisionLoops())
+ && !m_passes[i].runGraphite(m, fsm, reverse))
+ return false;
+ // only subsitution passes can change segment length, cached subsegments are short for their text
+ if (m.status() != vm::Machine::finished
+- || (seg->slotCount() && seg->slotCount() * MAX_SEG_GROWTH_FACTOR < initSize))
++ || (seg->slotCount() && seg->slotCount() > maxSize))
+ return false;
+ }
+ return true;
+ }
+diff --git a/gfx/graphite2/src/Slot.cpp b/gfx/graphite2/src/Slot.cpp
+--- a/gfx/graphite2/src/Slot.cpp
++++ b/gfx/graphite2/src/Slot.cpp
+@@ -80,20 +80,20 @@ void Slot::set(const Slot & orig, int ch
+
+ void Slot::update(int /*numGrSlots*/, int numCharInfo, Position &relpos)
+ {
+ m_before += numCharInfo;
+ m_after += numCharInfo;
+ m_position = m_position + relpos;
+ }
+
+-Position Slot::finalise(const Segment *seg, const Font *font, Position & base, Rect & bbox, uint8 attrLevel, float & clusterMin, bool rtl, bool isFinal)
++Position Slot::finalise(const Segment *seg, const Font *font, Position & base, Rect & bbox, uint8 attrLevel, float & clusterMin, bool rtl, bool isFinal, int depth)
+ {
+ SlotCollision *coll = NULL;
+- if (attrLevel && m_attLevel > attrLevel) return Position(0, 0);
++ if (depth > 100 || (attrLevel && m_attLevel > attrLevel)) return Position(0, 0);
+ float scale = font ? font->scale() : 1.0f;
+ Position shift(m_shift.x * (rtl * -2 + 1) + m_just, m_shift.y);
+ float tAdvance = m_advance.x + m_just;
+ if (isFinal && (coll = seg->collisionInfo(this)))
+ {
+ const Position &collshift = coll->offset();
+ if (!(coll->flags() & SlotCollision::COLL_KERN) || rtl)
+ shift = shift + collshift;
+@@ -128,23 +128,23 @@ Position Slot::finalise(const Segment *s
+ if (glyphFace)
+ {
+ Rect ourBbox = glyphFace->theBBox() * scale + m_position;
+ bbox = bbox.widen(ourBbox);
+ }
+
+ if (m_child && m_child != this && m_child->attachedTo() == this)
+ {
+- Position tRes = m_child->finalise(seg, font, m_position, bbox, attrLevel, clusterMin, rtl, isFinal);
++ Position tRes = m_child->finalise(seg, font, m_position, bbox, attrLevel, clusterMin, rtl, isFinal, depth + 1);
+ if ((!m_parent || m_advance.x >= 0.5f) && tRes.x > res.x) res = tRes;
+ }
+
+ if (m_parent && m_sibling && m_sibling != this && m_sibling->attachedTo() == m_parent)
+ {
+- Position tRes = m_sibling->finalise(seg, font, base, bbox, attrLevel, clusterMin, rtl, isFinal);
++ Position tRes = m_sibling->finalise(seg, font, base, bbox, attrLevel, clusterMin, rtl, isFinal, depth + 1);
+ if (tRes.x > res.x) res = tRes;
+ }
+
+ if (!m_parent && clusterMin < base.x)
+ {
+ Position adj = Position(m_position.x - clusterMin, 0.);
+ res += adj;
+ m_position += adj;
+@@ -160,35 +160,35 @@ int32 Slot::clusterMetric(const Segment
+ return 0;
+ Rect bbox = seg->theGlyphBBoxTemporary(glyph());
+ float clusterMin = 0.;
+ Position res = finalise(seg, NULL, base, bbox, attrLevel, clusterMin, rtl, false);
+
+ switch (metrics(metric))
+ {
+ case kgmetLsb :
+- return static_cast<uint32>(bbox.bl.x);
++ return bbox.bl.x;
+ case kgmetRsb :
+- return static_cast<uint32>(res.x - bbox.tr.x);
++ return res.x - bbox.tr.x;
+ case kgmetBbTop :
+- return static_cast<uint32>(bbox.tr.y);
++ return bbox.tr.y;
+ case kgmetBbBottom :
+- return static_cast<uint32>(bbox.bl.y);
++ return bbox.bl.y;
+ case kgmetBbLeft :
+- return static_cast<uint32>(bbox.bl.x);
++ return bbox.bl.x;
+ case kgmetBbRight :
+- return static_cast<uint32>(bbox.tr.x);
++ return bbox.tr.x;
+ case kgmetBbWidth :
+- return static_cast<uint32>(bbox.tr.x - bbox.bl.x);
++ return bbox.tr.x - bbox.bl.x;
+ case kgmetBbHeight :
+- return static_cast<uint32>(bbox.tr.y - bbox.bl.y);
++ return bbox.tr.y - bbox.bl.y;
+ case kgmetAdvWidth :
+- return static_cast<uint32>(res.x);
++ return res.x;
+ case kgmetAdvHeight :
+- return static_cast<uint32>(res.y);
++ return res.y;
+ default :
+ return 0;
+ }
+ }
+
+ #define SLOTGETCOLATTR(x) { SlotCollision *c = seg->collisionInfo(this); return c ? int(c-> x) : 0; }
+
+ int Slot::getAttr(const Segment *seg, attrCode ind, uint8 subindex) const
+@@ -290,19 +290,32 @@ void Slot::setAttr(Segment *seg, attrCod
+ case gr_slatAdvX : m_advance.x = value; break;
+ case gr_slatAdvY : m_advance.y = value; break;
+ case gr_slatAttTo :
+ {
+ const uint16 idx = uint16(value);
+ if (idx < map.size() && map[idx])
+ {
+ Slot *other = map[idx];
+- if (other == this || other == m_parent) break;
+- if (m_parent) m_parent->removeChild(this);
+- if (!other->isChildOf(this) && other->child(this))
++ if (other == this || other == m_parent || other->isCopied()) break;
++ if (m_parent) { m_parent->removeChild(this); attachTo(NULL); }
++ Slot *pOther = other;
++ int count = 0;
++ bool foundOther = false;
++ while (pOther)
++ {
++ ++count;
++ if (pOther == this) foundOther = true;
++ pOther = pOther->attachedTo();
++ }
++ for (pOther = m_child; pOther; pOther = pOther->m_child)
++ ++count;
++ for (pOther = m_sibling; pOther; pOther = pOther->m_sibling)
++ ++count;
++ if (count < 100 && !foundOther && other->child(this))
+ {
+ attachTo(other);
+ if ((map.dir() != 0) ^ (idx > subindex))
+ m_with = Position(advance(), 0);
+ else // normal match to previous root
+ m_attach = Position(other->advance(), 0);
+ }
+ }
+@@ -416,41 +429,34 @@ bool Slot::sibling(Slot *ap)
+ m_sibling = ap;
+ else
+ return m_sibling->sibling(ap);
+ return true;
+ }
+
+ bool Slot::removeChild(Slot *ap)
+ {
+- if (this == ap || !m_child) return false;
++ if (this == ap || !m_child || !ap) return false;
+ else if (ap == m_child)
+ {
+ Slot *nSibling = m_child->nextSibling();
+- m_child->removeSibling(nSibling);
++ m_child->nextSibling(NULL);
+ m_child = nSibling;
+ return true;
+ }
+- else
+- return m_child->removeSibling(ap);
+- return true;
+-}
+-
+-bool Slot::removeSibling(Slot *ap)
+-{
+- if (this == ap || !m_sibling) return false;
+- else if (ap == m_sibling)
++ for (Slot *p = m_child; p; p = p->m_sibling)
+ {
+- m_sibling = m_sibling->nextSibling();
+- if (m_sibling) ap->removeSibling(m_sibling);
+- return true;
++ if (p->m_sibling && p->m_sibling == ap)
++ {
++ p->m_sibling = p->m_sibling->m_sibling;
++ ap->nextSibling(NULL);
++ return true;
++ }
+ }
+- else
+- return m_sibling->removeSibling(ap);
+- return true;
++ return false;
+ }
+
+ void Slot::setGlyph(Segment *seg, uint16 glyphid, const GlyphFace * theGlyph)
+ {
+ m_glyphid = glyphid;
+ m_bidiCls = -1;
+ if (!theGlyph)
+ {
+@@ -475,21 +481,23 @@ void Slot::setGlyph(Segment *seg, uint16
+ if (seg->silf()->aPassBits())
+ {
+ seg->mergePassBits(theGlyph->attrs()[seg->silf()->aPassBits()]);
+ if (seg->silf()->numPasses() > 16)
+ seg->mergePassBits(theGlyph->attrs()[seg->silf()->aPassBits()+1] << 16);
+ }
+ }
+
+-void Slot::floodShift(Position adj)
++void Slot::floodShift(Position adj, int depth)
+ {
++ if (depth > 100)
++ return;
+ m_position += adj;
+- if (m_child) m_child->floodShift(adj);
+- if (m_sibling) m_sibling->floodShift(adj);
++ if (m_child) m_child->floodShift(adj, depth + 1);
++ if (m_sibling) m_sibling->floodShift(adj, depth + 1);
+ }
+
+ void SlotJustify::LoadSlot(const Slot *s, const Segment *seg)
+ {
+ for (int i = seg->silf()->numJustLevels() - 1; i >= 0; --i)
+ {
+ Justinfo *justs = seg->silf()->justAttrs() + i;
+ int16 *v = values + i * NUMJUSTPARAMS;
+@@ -514,15 +522,14 @@ Slot * Slot::nextInCluster(const Slot *s
+ return base->nextSibling();
+ s = base;
+ }
+ return NULL;
+ }
+
+ bool Slot::isChildOf(const Slot *base) const
+ {
+- if (m_parent == base)
+- return true;
+- else if (!m_parent)
+- return false;
+- else
+- return m_parent->isChildOf(base);
++ for (Slot *p = m_parent; p; p = p->m_parent)
++ if (p == base)
++ return true;
++ return false;
+ }
++
+diff --git a/gfx/graphite2/src/TtfUtil.cpp b/gfx/graphite2/src/TtfUtil.cpp
+--- a/gfx/graphite2/src/TtfUtil.cpp
++++ b/gfx/graphite2/src/TtfUtil.cpp
+@@ -891,25 +891,27 @@ const void * FindCmapSubtable(const void
+ ----------------------------------------------------------------------------------------------*/
+ bool CheckCmapSubtable4(const void * pCmapSubtable4, const void * pCmapEnd /*, unsigned int maxgid*/)
+ {
+ size_t table_len = (const byte *)pCmapEnd - (const byte *)pCmapSubtable4;
+ if (!pCmapSubtable4) return false;
+ const Sfnt::CmapSubTable * pTable = reinterpret_cast<const Sfnt::CmapSubTable *>(pCmapSubtable4);
+ // Bob H say some freeware TT fonts have version 1 (eg, CALIGULA.TTF)
+ // so don't check subtable version. 21 Mar 2002 spec changes version to language.
+- if (be::swap(pTable->format) != 4) return false;
++ if (table_len < sizeof(*pTable) || be::swap(pTable->format) != 4) return false;
+ const Sfnt::CmapSubTableFormat4 * pTable4 = reinterpret_cast<const Sfnt::CmapSubTableFormat4 *>(pCmapSubtable4);
++ if (table_len < sizeof(*pTable4))
++ return false;
+ uint16 length = be::swap(pTable4->length);
+ if (length > table_len)
+ return false;
+ if (length < sizeof(Sfnt::CmapSubTableFormat4))
+ return false;
+ uint16 nRanges = be::swap(pTable4->seg_count_x2) >> 1;
+- if (length < sizeof(Sfnt::CmapSubTableFormat4) + 4 * nRanges * sizeof(uint16))
++ if (!nRanges || length < sizeof(Sfnt::CmapSubTableFormat4) + 4 * nRanges * sizeof(uint16))
+ return false;
+ // check last range is properly terminated
+ uint16 chEnd = be::peek<uint16>(pTable4->end_code + nRanges - 1);
+ if (chEnd != 0xFFFF)
+ return false;
+ #if 0
+ int lastend = -1;
+ for (int i = 0; i < nRanges; ++i)
+@@ -999,17 +1001,17 @@ gid16 CmapSubtable4Lookup(const void * p
+ uint16 idRangeOffset = be::peek<uint16>(pMid += nSeg);
+
+ if (idRangeOffset == 0)
+ return (uint16)(idDelta + nUnicodeId); // must use modulus 2^16
+
+ // Look up value in glyphIdArray
+ const ptrdiff_t offset = (nUnicodeId - chStart) + (idRangeOffset >> 1) +
+ (pMid - reinterpret_cast<const uint16 *>(pTable));
+- if (offset * 2 >= be::swap<uint16>(pTable->length))
++ if (offset * 2 + 1 >= be::swap<uint16>(pTable->length))
+ return 0;
+ gid16 nGlyphId = be::peek<uint16>(reinterpret_cast<const uint16 *>(pTable)+offset);
+ // If this value is 0, return 0. Else add the idDelta
+ return nGlyphId ? nGlyphId + idDelta : 0;
+ }
+
+ return 0;
+ }
+@@ -1081,19 +1083,21 @@ unsigned int CmapSubtable4NextCodepoint(
+ /*----------------------------------------------------------------------------------------------
+ Check the Microsoft UCS-4 subtable for expected values.
+ ----------------------------------------------------------------------------------------------*/
+ bool CheckCmapSubtable12(const void *pCmapSubtable12, const void *pCmapEnd /*, unsigned int maxgid*/)
+ {
+ size_t table_len = (const byte *)pCmapEnd - (const byte *)pCmapSubtable12;
+ if (!pCmapSubtable12) return false;
+ const Sfnt::CmapSubTable * pTable = reinterpret_cast<const Sfnt::CmapSubTable *>(pCmapSubtable12);
+- if (be::swap(pTable->format) != 12)
++ if (table_len < sizeof(*pTable) || be::swap(pTable->format) != 12)
+ return false;
+ const Sfnt::CmapSubTableFormat12 * pTable12 = reinterpret_cast<const Sfnt::CmapSubTableFormat12 *>(pCmapSubtable12);
++ if (table_len < sizeof(*pTable12))
++ return false;
+ uint32 length = be::swap(pTable12->length);
+ if (length > table_len)
+ return false;
+ if (length < sizeof(Sfnt::CmapSubTableFormat12))
+ return false;
+ uint32 num_groups = be::swap(pTable12->num_groups);
+ if (num_groups > 0x10000000 || length != (sizeof(Sfnt::CmapSubTableFormat12) + (num_groups - 1) * sizeof(uint32) * 3))
+ return false;
+diff --git a/gfx/graphite2/src/inc/Code.h b/gfx/graphite2/src/inc/Code.h
+--- a/gfx/graphite2/src/inc/Code.h
++++ b/gfx/graphite2/src/inc/Code.h
+@@ -81,17 +81,17 @@ private:
+ _modify,
+ _delete;
+ mutable bool _own;
+
+ void release_buffers() throw ();
+ void failure(const status_t) throw();
+
+ public:
+- static size_t estimateCodeDataOut(size_t num_bytecodes);
++ static size_t estimateCodeDataOut(size_t num_bytecodes, int nRules, int nSlots);
+
+ Code() throw();
+ Code(bool is_constraint, const byte * bytecode_begin, const byte * const bytecode_end,
+ uint8 pre_context, uint16 rule_length, const Silf &, const Face &,
+ enum passtype pt, byte * * const _out = 0);
+ Code(const Machine::Code &) throw();
+ ~Code() throw();
+
+@@ -107,19 +107,21 @@ public:
+ void externalProgramMoved(ptrdiff_t) throw();
+
+ int32 run(Machine &m, slotref * & map) const;
+
+ CLASS_NEW_DELETE;
+ };
+
+ inline
+-size_t Machine::Code::estimateCodeDataOut(size_t n_bc)
++size_t Machine::Code::estimateCodeDataOut(size_t n_bc, int nRules, int nSlots)
+ {
+- return (n_bc + 1) * (sizeof(instr)+sizeof(byte));
++ // max is: all codes are instructions + 1 for each rule + max tempcopies
++ // allocate space for separate maximal code and data then merge them later
++ return (n_bc + nRules + nSlots) * sizeof(instr) + n_bc * sizeof(byte);
+ }
+
+
+ inline Machine::Code::Code() throw()
+ : _code(0), _data(0), _data_size(0), _instr_count(0), _max_ref(0),
+ _status(loaded), _constraint(false), _modify(false), _delete(false),
+ _own(false)
+ {
+diff --git a/gfx/graphite2/src/inc/Face.h b/gfx/graphite2/src/inc/Face.h
+--- a/gfx/graphite2/src/inc/Face.h
++++ b/gfx/graphite2/src/inc/Face.h
+@@ -82,17 +82,17 @@ public:
+ uint16 languageForLocale(const char * locale) const;
+
+ // Features
+ uint16 numFeatures() const;
+ const FeatureRef * featureById(uint32 id) const;
+ const FeatureRef * feature(uint16 index) const;
+
+ // Glyph related
+- uint16 getGlyphMetric(uint16 gid, uint8 metric) const;
++ int32 getGlyphMetric(uint16 gid, uint8 metric) const;
+ uint16 findPseudo(uint32 uid) const;
+
+ // Errors
+ unsigned int error() const { return m_error; }
+ bool error(Error e) { m_error = e.error(); return false; }
+ unsigned int error_context() const { return m_error; }
+ void error_context(unsigned int errcntxt) { m_errcntxt = errcntxt; }
+
+diff --git a/gfx/graphite2/src/inc/GlyphFace.h b/gfx/graphite2/src/inc/GlyphFace.h
+--- a/gfx/graphite2/src/inc/GlyphFace.h
++++ b/gfx/graphite2/src/inc/GlyphFace.h
+@@ -46,17 +46,17 @@ class GlyphFace
+ public:
+ GlyphFace();
+ template<typename I>
+ GlyphFace(const Rect & bbox, const Position & adv, I first, const I last);
+
+ const Position & theAdvance() const;
+ const Rect & theBBox() const { return m_bbox; }
+ const sparse & attrs() const { return m_attrs; }
+- uint16 getMetric(uint8 metric) const;
++ int32 getMetric(uint8 metric) const;
+
+ CLASS_NEW_DELETE;
+ private:
+ Rect m_bbox; // bounding box metrics in design units
+ Position m_advance; // Advance width and height in design units
+ sparse m_attrs;
+ };
+
+diff --git a/gfx/graphite2/src/inc/Machine.h b/gfx/graphite2/src/inc/Machine.h
+--- a/gfx/graphite2/src/inc/Machine.h
++++ b/gfx/graphite2/src/inc/Machine.h
+@@ -179,17 +179,17 @@ inline SlotMap& Machine::slotMap() const
+ return _map;
+ }
+
+ inline Machine::status_t Machine::status() const throw()
+ {
+ return _status;
+ }
+
+-inline void Machine::check_final_stack(const int32 * const sp)
++inline void Machine::check_final_stack(const stack_t * const sp)
+ {
+ stack_t const * const base = _stack + STACK_GUARD,
+ * const limit = base + STACK_MAX;
+ if (sp < base) _status = stack_underflow; // This should be impossible now.
+ else if (sp >= limit) _status = stack_overflow; // So should this.
+ else if (sp != base) _status = stack_not_empty;
+ }
+
+diff --git a/gfx/graphite2/src/inc/Pass.h b/gfx/graphite2/src/inc/Pass.h
+--- a/gfx/graphite2/src/inc/Pass.h
++++ b/gfx/graphite2/src/inc/Pass.h
+@@ -76,17 +76,17 @@ private:
+ void dumpRuleEventConsidered(const FiniteStateMachine & fsm, const RuleEntry & re) const;
+ void dumpRuleEventOutput(const FiniteStateMachine & fsm, vm::Machine & m, const Rule & r, Slot * os) const;
+ void adjustSlot(int delta, Slot * & slot_out, SlotMap &) const;
+ bool collisionShift(Segment *seg, int dir, json * const dbgout) const;
+ bool collisionKern(Segment *seg, int dir, json * const dbgout) const;
+ bool collisionFinish(Segment *seg, GR_MAYBE_UNUSED json * const dbgout) const;
+ bool resolveCollisions(Segment *seg, Slot *slot, Slot *start, ShiftCollider &coll, bool isRev,
+ int dir, bool &moved, bool &hasCol, json * const dbgout) const;
+- float resolveKern(Segment *seg, Slot *slot, Slot *start, KernCollider &coll, int dir,
++ float resolveKern(Segment *seg, Slot *slot, Slot *start, int dir,
+ float &ymin, float &ymax, json *const dbgout) const;
+
+ const Silf * m_silf;
+ uint16 * m_cols;
+ Rule * m_rules; // rules
+ RuleEntry * m_ruleMap;
+ uint16 * m_startStates; // prectxt length
+ uint16 * m_transitions;
+diff --git a/gfx/graphite2/src/inc/Rule.h b/gfx/graphite2/src/inc/Rule.h
+--- a/gfx/graphite2/src/inc/Rule.h
++++ b/gfx/graphite2/src/inc/Rule.h
+@@ -97,17 +97,17 @@ bool State::empty() const
+ return rules_end == rules;
+ }
+
+
+ class SlotMap
+ {
+ public:
+ enum {MAX_SLOTS=64};
+- SlotMap(Segment & seg, uint8 direction);
++ SlotMap(Segment & seg, uint8 direction, int maxSize);
+
+ Slot * * begin();
+ Slot * * end();
+ size_t size() const;
+ unsigned short context() const;
+ void reset(Slot &, unsigned short);
+
+ Slot * const & operator[](int n) const;
+@@ -116,23 +116,25 @@ public:
+ void collectGarbage(Slot *& aSlot);
+
+ Slot * highwater() { return m_highwater; }
+ void highwater(Slot *s) { m_highwater = s; m_highpassed = false; }
+ bool highpassed() const { return m_highpassed; }
+ void highpassed(bool v) { m_highpassed = v; }
+
+ uint8 dir() const { return m_dir; }
++ int decMax() { return --m_maxSize; }
+
+ Segment & segment;
+ private:
+ Slot * m_slot_map[MAX_SLOTS+1];
+ unsigned short m_size;
+ unsigned short m_precontext;
+ Slot * m_highwater;
++ int m_maxSize;
+ uint8 m_dir;
+ bool m_highpassed;
+ };
+
+
+ class FiniteStateMachine
+ {
+ public:
+@@ -237,18 +239,19 @@ void FiniteStateMachine::Rules::accumula
+ return;
+ }
+ }
+ while (rre != rrend && out != lrend) { *out++ = *rre++; }
+ m_end = out;
+ }
+
+ inline
+-SlotMap::SlotMap(Segment & seg, uint8 direction)
+-: segment(seg), m_size(0), m_precontext(0), m_highwater(0), m_dir(direction), m_highpassed(false)
++SlotMap::SlotMap(Segment & seg, uint8 direction, int maxSize)
++: segment(seg), m_size(0), m_precontext(0), m_highwater(0),
++ m_maxSize(maxSize), m_dir(direction), m_highpassed(false)
+ {
+ m_slot_map[0] = 0;
+ }
+
+ inline
+ Slot * * SlotMap::begin()
+ {
+ return &m_slot_map[1]; // allow map to go 1 before slot_map when inserting
+diff --git a/gfx/graphite2/src/inc/Segment.h b/gfx/graphite2/src/inc/Segment.h
+--- a/gfx/graphite2/src/inc/Segment.h
++++ b/gfx/graphite2/src/inc/Segment.h
+@@ -35,17 +35,17 @@ of the License or (at your option) any l
+ #include "inc/FeatureVal.h"
+ #include "inc/GlyphCache.h"
+ #include "inc/GlyphFace.h"
+ #include "inc/Slot.h"
+ #include "inc/Position.h"
+ #include "inc/List.h"
+ #include "inc/Collider.h"
+
+-#define MAX_SEG_GROWTH_FACTOR 256
++#define MAX_SEG_GROWTH_FACTOR 64
+
+ namespace graphite2 {
+
+ typedef Vector<Features> FeatureList;
+ typedef Vector<Slot *> SlotRope;
+ typedef Vector<int16 *> AttributeRope;
+ typedef Vector<SlotJustify *> JustifyRope;
+
+@@ -154,17 +154,17 @@ public:
+ int8 getSlotBidiClass(Slot *s) const;
+ void doMirror(uint16 aMirror);
+ Slot *addLineEnd(Slot *nSlot);
+ void delLineEnd(Slot *s);
+ bool hasJustification() const { return m_justifies.size() != 0; }
+ void reverseSlots();
+
+ bool isWhitespace(const int cid) const;
+- bool hasCollisionInfo() const { return (m_flags & SEG_HASCOLLISIONS); }
++ bool hasCollisionInfo() const { return (m_flags & SEG_HASCOLLISIONS) && m_collisions; }
+ SlotCollision *collisionInfo(const Slot *s) const { return m_collisions ? m_collisions + s->index() : 0; }
+ CLASS_NEW_DELETE
+
+ public: //only used by: GrSegment* makeAndInitialize(const GrFont *font, const GrFace *face, uint32 script, const FeaturesHandle& pFeats/*must not be IsNull*/, encform enc, const void* pStart, size_t nChars, int dir);
+ bool read_text(const Face *face, const Features* pFeats/*must not be NULL*/, gr_encform enc, const void*pStart, size_t nChars);
+ void finalise(const Font *font, bool reverse=false);
+ float justify(Slot *pSlot, const Font *font, float width, enum justFlags flags, Slot *pFirst, Slot *pLast);
+ bool initCollisions();
+diff --git a/gfx/graphite2/src/inc/Slot.h b/gfx/graphite2/src/inc/Slot.h
+--- a/gfx/graphite2/src/inc/Slot.h
++++ b/gfx/graphite2/src/inc/Slot.h
+@@ -92,17 +92,17 @@ public:
+ void adjKern(const Position &pos) { m_shift = m_shift + pos; m_advance = m_advance + pos; }
+ void origin(const Position &pos) { m_position = pos + m_shift; }
+ void originate(int ind) { m_original = ind; }
+ int original() const { return m_original; }
+ void before(int ind) { m_before = ind; }
+ void after(int ind) { m_after = ind; }
+ bool isBase() const { return (!m_parent); }
+ void update(int numSlots, int numCharInfo, Position &relpos);
+- Position finalise(const Segment* seg, const Font* font, Position & base, Rect & bbox, uint8 attrLevel, float & clusterMin, bool rtl, bool isFinal);
++ Position finalise(const Segment* seg, const Font* font, Position & base, Rect & bbox, uint8 attrLevel, float & clusterMin, bool rtl, bool isFinal, int depth = 0);
+ bool isDeleted() const { return (m_flags & DELETED) ? true : false; }
+ void markDeleted(bool state) { if (state) m_flags |= DELETED; else m_flags &= ~DELETED; }
+ bool isCopied() const { return (m_flags & COPIED) ? true : false; }
+ void markCopied(bool state) { if (state) m_flags |= COPIED; else m_flags &= ~COPIED; }
+ bool isPositioned() const { return (m_flags & POSITIONED) ? true : false; }
+ void markPositioned(bool state) { if (state) m_flags |= POSITIONED; else m_flags &= ~POSITIONED; }
+ bool isInsertBefore() const { return !(m_flags & INSERTED); }
+ uint8 getBidiLevel() const { return m_bidiLevel; }
+@@ -123,20 +123,19 @@ public:
+ Position attachOffset() const { return m_attach - m_with; }
+ Slot* firstChild() const { return m_child; }
+ void firstChild(Slot *ap) { m_child = ap; }
+ bool child(Slot *ap);
+ Slot* nextSibling() const { return m_sibling; }
+ void nextSibling(Slot *ap) { m_sibling = ap; }
+ bool sibling(Slot *ap);
+ bool removeChild(Slot *ap);
+- bool removeSibling(Slot *ap);
+ int32 clusterMetric(const Segment* seg, uint8 metric, uint8 attrLevel, bool rtl);
+ void positionShift(Position a) { m_position += a; }
+- void floodShift(Position adj);
++ void floodShift(Position adj, int depth = 0);
+ float just() const { return m_just; }
+ void just(float j) { m_just = j; }
+ Slot *nextInCluster(const Slot *s) const;
+ bool isChildOf(const Slot *base) const;
+
+ CLASS_NEW_DELETE
+
+ private:
+diff --git a/gfx/graphite2/src/inc/UtfCodec.h b/gfx/graphite2/src/inc/UtfCodec.h
+--- a/gfx/graphite2/src/inc/UtfCodec.h
++++ b/gfx/graphite2/src/inc/UtfCodec.h
+@@ -35,16 +35,17 @@ typedef uint32 uchar_t;
+
+ template <int N>
+ struct _utf_codec
+ {
+ typedef uchar_t codeunit_t;
+
+ static void put(codeunit_t * cp, const uchar_t , int8 & len) throw();
+ static uchar_t get(const codeunit_t * cp, int8 & len) throw();
++ static bool validate(const codeunit_t * s, const codeunit_t * e) throw();
+ };
+
+
+ template <>
+ struct _utf_codec<32>
+ {
+ private:
+ static const uchar_t limit = 0x110000;
+@@ -58,16 +59,22 @@ public:
+ }
+
+ inline
+ static uchar_t get(const codeunit_t * cp, int8 & l) throw()
+ {
+ if (cp[0] < limit) { l = 1; return cp[0]; }
+ else { l = -1; return 0xFFFD; }
+ }
++
++ inline
++ static bool validate(codeunit_t * s, codeunit_t * e) throw()
++ {
++ return e > s;
++ }
+ };
+
+
+ template <>
+ struct _utf_codec<16>
+ {
+ private:
+ static const int32 lead_offset = 0xD800 - (0x10000 >> 10);
+@@ -88,22 +95,31 @@ public:
+ }
+
+ inline
+ static uchar_t get(const codeunit_t * cp, int8 & l) throw()
+ {
+ const uint32 uh = cp[0];
+ l = 1;
+
+- if (0xD800 > uh || uh > 0xDFFF) { return uh; }
++ if (uh < 0xD800|| uh > 0xDFFF) { return uh; }
+ const uint32 ul = cp[1];
+- if (uh > 0xDBFF || 0xDC00 > ul || ul > 0xDFFF) { l = -1; return 0xFFFD; }
++ if (uh > 0xDBFF || ul < 0xDC00 || ul > 0xDFFF) { l = -1; return 0xFFFD; }
+ ++l;
+ return (uh<<10) + ul + surrogate_offset;
+ }
++
++ inline
++ static bool validate(codeunit_t * s, codeunit_t * e) throw()
++ {
++ const ptrdiff_t n = e-s;
++ if (n <= 0) return n == 0;
++ const uint32 u = *(s+(n-1)); // Get the last codepoint
++ return (u < 0xD800 || u > 0xDBFF);
++ }
+ };
+
+
+ template <>
+ struct _utf_codec<8>
+ {
+ private:
+ static const int8 sz_lut[16];
+@@ -143,16 +159,34 @@ public:
+
+ if (l != seq_sz || toolong)
+ {
+ l = -l;
+ return 0xFFFD;
+ }
+ return u;
+ }
++
++ inline
++ static bool validate(codeunit_t * s, codeunit_t * e) throw()
++ {
++ const ptrdiff_t n = e-s;
++ if (n <= 0) return n == 0;
++ s += (n-1);
++ if (*s < 0x80) return true;
++ if (*s >= 0xC0) return false;
++ if (n == 1) return true;
++ if (*--s < 0x80) return true;
++ if (*s >= 0xe0) return false;
++ if (n == 2 || *s >= 0xC0) return true;
++ if (*--s < 0x80) return true;
++ if (*s >= 0xF0) return false;
++ return true;
++ }
++
+ };
+
+
+ template <typename C>
+ class _utf_iterator
+ {
+ typedef _utf_codec<sizeof(C)*8> codec;
+
+@@ -195,16 +229,21 @@ public:
+
+ template <typename C>
+ struct utf
+ {
+ typedef typename _utf_codec<sizeof(C)*8>::codeunit_t codeunit_t;
+
+ typedef _utf_iterator<C> iterator;
+ typedef _utf_iterator<const C> const_iterator;
++
++ inline
++ static bool validate(codeunit_t * s, codeunit_t * e) throw() {
++ return _utf_codec<sizeof(C)*8>::validate(s,e);
++ }
+ };
+
+
+ typedef utf<uint32> utf32;
+ typedef utf<uint16> utf16;
+ typedef utf<uint8> utf8;
+
+ } // namespace graphite2
+diff --git a/gfx/graphite2/src/inc/opcode_table.h b/gfx/graphite2/src/inc/opcode_table.h
+--- a/gfx/graphite2/src/inc/opcode_table.h
++++ b/gfx/graphite2/src/inc/opcode_table.h
+@@ -113,13 +113,13 @@ static const opcode_t opcode_table[] =
+ {{NILOP,NILOP}, 0, "PUT_SUBS3"},
+ {{do_(put_glyph), NILOP}, 2, "PUT_GLYPH"}, // output_class output_class
+ {{do2(push_glyph_attr)}, 3, "PUSH_GLYPH_ATTR"}, // gattrnum gattrnum slot
+ {{do2(push_att_to_glyph_attr)}, 3, "PUSH_ATT_TO_GLYPH_ATTR"}, // gattrnum gattrnum slot
+ {{do2(bor)}, 0, "BITOR"},
+ {{do2(band)}, 0, "BITAND"},
+ {{do2(bnot)}, 0, "BITNOT"}, // 0x40
+ {{do2(setbits)}, 4, "BITSET"},
+- {{do2(set_feat)}, 2, "SET_FEAT"},
++ {{do_(set_feat), NILOP}, 2, "SET_FEAT"}, // featidx slot
+ // private opcodes for internal use only, comes after all other on disk opcodes.
+ {{do_(temp_copy), NILOP}, 0, "TEMP_COPY"}
+ };
+
+diff --git a/gfx/graphite2/src/inc/opcodes.h b/gfx/graphite2/src/inc/opcodes.h
+--- a/gfx/graphite2/src/inc/opcodes.h
++++ b/gfx/graphite2/src/inc/opcodes.h
+@@ -62,17 +62,18 @@ of the License or (at your option) any l
+ // ip = The current instruction pointer
+ // endPos = Position of advance of last cluster
+ // dir = writing system directionality of the font
+
+
+ // #define NOT_IMPLEMENTED assert(false)
+ #define NOT_IMPLEMENTED
+
+-#define binop(op) const int32 a = pop(); *sp = int32(*sp) op a
++#define binop(op) const uint32 a = pop(); *sp = uint32(*sp) op a
++#define sbinop(op) const int32 a = pop(); *sp = int32(*sp) op a
+ #define use_params(n) dp += n
+
+ #define declare_params(n) const byte * param = dp; \
+ use_params(n);
+
+ #define push(n) { *++sp = n; }
+ #define pop() (*sp--)
+ #define slotat(x) (map[(x)])
+@@ -125,17 +126,17 @@ STARTOP(sub)
+ ENDOP
+
+ STARTOP(mul)
+ binop(*);
+ ENDOP
+
+ STARTOP(div_)
+ if (*sp == 0) DIE;
+- binop(/);
++ sbinop(/);
+ ENDOP
+
+ STARTOP(min_)
+ const int32 a = pop(), b = *sp;
+ if (a < b) *sp = a;
+ ENDOP
+
+ STARTOP(max_)
+@@ -176,29 +177,29 @@ STARTOP(equal)
+ binop(==);
+ ENDOP
+
+ STARTOP(not_eq_)
+ binop(!=);
+ ENDOP
+
+ STARTOP(less)
+- binop(<);
++ sbinop(<);
+ ENDOP
+
+ STARTOP(gtr)
+- binop(>);
++ sbinop(>);
+ ENDOP
+
+ STARTOP(less_eq)
+- binop(<=);
++ sbinop(<=);
+ ENDOP
+
+ STARTOP(gtr_eq)
+- binop(>=);
++ sbinop(>=);
+ ENDOP
+
+ STARTOP(next)
+ if (map - &smap[0] >= int(smap.size())) DIE
+ if (is)
+ {
+ if (is == smap.highwater())
+ smap.highpassed(true);
+@@ -237,17 +238,17 @@ STARTOP(put_subs_8bit_obs)
+ index = seg.findClassIndex(input_class, slot->gid());
+ is->setGlyph(&seg, seg.getClassGlyph(output_class, index));
+ }
+ ENDOP
+
+ STARTOP(put_copy)
+ declare_params(1);
+ const int slot_ref = int8(*param);
+- if (is)
++ if (is && !is->isDeleted())
+ {
+ slotref ref = slotat(slot_ref);
+ if (ref && ref != is)
+ {
+ int16 *tempUserAttrs = is->userAttrs();
+ if (is->attachedTo() || is->firstChild()) DIE
+ Slot *prev = is->prev();
+ Slot *next = is->next();
+@@ -262,16 +263,17 @@ STARTOP(put_copy)
+ is->attachedTo()->child(is);
+ }
+ is->markCopied(false);
+ is->markDeleted(false);
+ }
+ ENDOP
+
+ STARTOP(insert)
++ if (smap.decMax() <= 0) DIE;
+ Slot *newSlot = seg.newSlot();
+ if (!newSlot) DIE;
+ Slot *iss = is;
+ while (iss && iss->isDeleted()) iss = iss->next();
+ if (!iss)
+ {
+ if (seg.last())
+ {
+@@ -550,31 +552,31 @@ ENDOP
+
+ STARTOP(iattr_add)
+ declare_params(2);
+ const attrCode slat = attrCode(uint8(param[0]));
+ const size_t idx = uint8(param[1]);
+ const int val = int(pop());
+ if ((slat == gr_slatPosX || slat == gr_slatPosY) && (flags & POSITIONED) == 0)
+ {
+- seg.positionSlots(0, *smap.begin(), *(smap.end()-1), dir);
++ seg.positionSlots(0, *smap.begin(), *(smap.end()-1), seg.currdir());
+ flags |= POSITIONED;
+ }
+ int res = is->getAttr(&seg, slat, idx);
+ is->setAttr(&seg, slat, idx, val + res, smap);
+ ENDOP
+
+ STARTOP(iattr_sub)
+ declare_params(2);
+ const attrCode slat = attrCode(uint8(param[0]));
+ const size_t idx = uint8(param[1]);
+ const int val = int(pop());
+ if ((slat == gr_slatPosX || slat == gr_slatPosY) && (flags & POSITIONED) == 0)
+ {
+- seg.positionSlots(0, *smap.begin(), *(smap.end()-1), dir);
++ seg.positionSlots(0, *smap.begin(), *(smap.end()-1), seg.currdir());
+ flags |= POSITIONED;
+ }
+ int res = is->getAttr(&seg, slat, idx);
+ is->setAttr(&seg, slat, idx, res - val, smap);
+ ENDOP
+
+ STARTOP(push_proc_state)
+ use_params(1);
+