Revision r31310 introduced extraCharsAvailable to be able to do ligatures, etc. There is a slight bug that leads to create a String from UChar* which reads beyond the bounds. SVGTextRunWalker::walk ASSERT(to + from == run.length()); ^^^^ const int endOfScanRange = to + m_walkerData.extraCharsAvailable; for (int i = from; i < to; ++i) { characterLookupRange = endOfScanRange - i; String lookupString(run.data(i), characterLookupRange); ^^^^ <- out of bounds now SVGRootInlineBox::buildLayoutInformationForTextBox int extraCharsAvailable = length - i - 1; if (textBox->direction() == RTL) { glyphWidth = svgTextBox->calculateGlyphWidth(style, textBox->end() - i, extraCharsAvailable, charsConsumed, glyphName); glyphHeight = svgTextBox->calculateGlyphHeight(style, textBox->end() - i, extraCharsAvailable); unicodeStr = String(textBox->textObject()->text()->characters() + textBox->end() - i, charsConsumed); extraCharsAvailable is wrong, or at least wrong in the future. In SVGFont it gets treated as how many chars are available to the right.. but in the first iteration in the above loop: i = 0 textBox->end() == length-1; but we travel the text from right to left. This means in the first loop there is not extra char available?! in the next one...? Also SVGInlineTextBox::calculateGlyphWidth looks really weird: A Text run with size one is created but we pass the extraCharsAvailable... this will work for LTR text but with RTL text (as in the above test case) we will read out of the bounds of the string.