There is a memory corruption that is triggered when uppercasing malformed unicode. Specifically, when the opener of a surrogate pair is followed by the "latin small letter sharp S" character, a wild copy occurs leading to memory corruption.
A repro SWF is attached, along with source.
This bug might be platform specific. It certainly triggers on Pepper Flash on Linux (desktop; Chrome OS assumed faulty too). More testing is required on Mac and Windows.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
