diff --git a/gfx/graphite2/README.mozilla b/gfx/graphite2/README.mozilla
index 1dde1c22dd7..8edf83bcc6e 100644
--- a/gfx/graphite2/README.mozilla
+++ b/gfx/graphite2/README.mozilla
@@ -1,3 +1,6 @@
 This directory contains the Graphite2 library release 1.3.4 from
 https://github.com/silnrsi/graphite/releases/download/1.3.4/graphite2-minimal-1.3.4.tgz
 See ./gfx/graphite2/moz-gr-update.sh for update procedure.
+
+Bug 1223002: Updated to upstream commit 6106dcbd5bc4df2e6ef6a7c632c69ca71ba2b518
+to fix recently-discovered fuzzbugs.
diff --git a/gfx/graphite2/src/Code.cpp b/gfx/graphite2/src/Code.cpp
index b3515679c63..02ad54d7dcd 100644
--- a/gfx/graphite2/src/Code.cpp
+++ b/gfx/graphite2/src/Code.cpp
@@ -120,6 +120,7 @@ private:
     analysis            _analysis;
     enum passtype       _passtype;
     int                 _stack_depth;
+    bool                _in_ctxt_item;
 };
 
 
@@ -139,7 +140,8 @@ inline Machine::Code::decoder::decoder(limits & lims, Code &code, enum passtype
   _pre_context(code._constraint ? 0 : lims.pre_context), 
   _rule_length(code._constraint ? 1 : lims.rule_length), 
   _instr(code._code), _data(code._data), _max(lims), _passtype(pt),
-  _stack_depth(0)
+  _stack_depth(0),
+  _in_ctxt_item(false)
 { }
     
 
@@ -356,8 +358,8 @@ opcode Machine::Code::decoder::fetch_opcode(const byte * bc)
             break;
         case CNTXT_ITEM :
             valid_upto(_max.rule_length, _max.pre_context + int8(bc[0]));
-            if (bc + 2 + bc[1] >= _max.bytecode)  failure(jump_past_end);
-            if (_pre_context != 0)                failure(nested_context_item);
+            if (bc + 2 + bc[1] >= _max.bytecode)    failure(jump_past_end);
+            if (_in_ctxt_item)                      failure(nested_context_item);
             break;
         case ATTR_SET :
         case ATTR_ADD :
@@ -578,6 +580,7 @@ bool Machine::Code::decoder::emit_opcode(opcode opc, const byte * & bc)
     if (opc == CNTXT_ITEM)
     {
         assert(_pre_context == 0);
+        _in_ctxt_item = true;
         _pre_context = _max.pre_context + int8(_data[-2]);
         _rule_length = _max.rule_length;
 
@@ -596,6 +599,7 @@ bool Machine::Code::decoder::emit_opcode(opcode opc, const byte * & bc)
 
             _rule_length = 1;
             _pre_context = 0;
+            _in_ctxt_item = false;
         }
         else
         {
diff --git a/gfx/graphite2/src/Face.cpp b/gfx/graphite2/src/Face.cpp
index ab77d7220f6..7aefdb98de0 100644
--- a/gfx/graphite2/src/Face.cpp
+++ b/gfx/graphite2/src/Face.cpp
@@ -195,7 +195,6 @@ bool Face::runGraphite(Segment *seg, const Silf *aSilf) const
                 << "output" << json::array;
         for(Slot * s = seg->first(); s; s = s->next())
             *dbgout     << dslot(seg, s);
-        seg->finalise(0);                   // Call this here to fix up charinfo back indexes.
         *dbgout         << json::close
                 << "advance" << seg->advance()
                 << "chars"   << json::array;
diff --git a/gfx/graphite2/src/TtfUtil.cpp b/gfx/graphite2/src/TtfUtil.cpp
index 0b6b98035bd..90ced6aee6a 100644
--- a/gfx/graphite2/src/TtfUtil.cpp
+++ b/gfx/graphite2/src/TtfUtil.cpp
@@ -952,7 +952,7 @@ gid16 CmapSubtable4Lookup(const void * pCmapSubtabel4, unsigned int nUnicodeId,
     uint16 nSeg = be::swap(pTable->seg_count_x2) >> 1;
   
     uint16 n;
-        const uint16 * pLeft, * pMid;
+    const uint16 * pLeft, * pMid;
     uint16 cMid, chStart, chEnd;
 
     if (rangeKey)