OpenJDK / jdk8u / jdk8u / jdk

--- a/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp	Wed Apr 03 03:33:25 2019 +0100
+++ b/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp	Wed Apr 03 03:51:25 2019 +0100
@@ -67,7 +67,10 @@
         le_uint16 lookupListIndex = SWAPW(substLookupRecordArrayPtr[subst].lookupListIndex);

         tempIterator.setCurrStreamPosition(position);
-        tempIterator.next(sequenceIndex);
+        if (!tempIterator.next(sequenceIndex)) {
+            success = LE_INTERNAL_ERROR;
+            return;
+        }

         lookupProcessor->applySingleLookup(lookupListIndex, &tempIterator, fontInstance, success);
     }
--- a/src/share/native/sun/font/layout/GlyphIterator.cpp	Wed Apr 03 03:33:25 2019 +0100
+++ b/src/share/native/sun/font/layout/GlyphIterator.cpp	Wed Apr 03 03:51:25 2019 +0100
@@ -224,6 +224,16 @@

 void GlyphIterator::setCurrGlyphID(TTGlyphID glyphID)
 {
+    if (direction < 0) {
+        if (position <= nextLimit || position >= prevLimit) {
+            return;
+        }
+    } else {
+        if (position <= prevLimit || position >= nextLimit) {
+            return;
+        }
+    }
+
     LEGlyphID glyph = glyphStorage[position];

     glyphStorage[position] = LE_SET_GLYPH(glyph, glyphID);
--- a/src/share/native/sun/font/layout/SubstitutionLookups.cpp	Wed Apr 03 03:33:25 2019 +0100
+++ b/src/share/native/sun/font/layout/SubstitutionLookups.cpp	Wed Apr 03 03:51:25 2019 +0100
@@ -67,7 +67,10 @@
         le_uint16 lookupListIndex = SWAPW(substLookupRecordArray[subst].lookupListIndex);

         tempIterator.setCurrStreamPosition(position);
-        tempIterator.next(sequenceIndex);
+        if (!tempIterator.next(sequenceIndex)) {
+            success = LE_INTERNAL_ERROR;
+            return;
+        }

         lookupProcessor->applySingleLookup(lookupListIndex, &tempIterator, fontInstance, success);
     }