When attempting to execute the following code:

// _styledMsg.plainContents() returns a QString containing the text in the attached UTF-8 encoded text file.

// unsigned char *ChatLineModelItem::TextBoundaryFinderBuffer = (unsigned char *)malloc(512 * sizeof(HB_CharAttributes_Dummy));
// int ChatLineModelItem::TextBoundaryFinderBufferSize = 512 * (sizeof(HB_CharAttributes_Dummy) / sizeof(unsigned char));

QString text = _styledMsg.plainContents();
int length = text.length();
if(!length)
return;

QList<ChatLineModel::Word> wplist; // use a temp list which we'll later copy into a QVector for efficiency
QTextBoundaryFinder finder(QTextBoundaryFinder::Line, _styledMsg.plainContents().unicode(), length,
TextBoundaryFinderBuffer, TextBoundaryFinderBufferSize);

int idx;
int oldidx = 0;
ChatLineModel::Word word;
word.start = 0;
qreal wordstartx = 0;

QTextLayout layout(_styledMsg.plainContents());
QTextOption option;
option.setWrapMode(QTextOption::NoWrap);
layout.setTextOption(option);

// QtUi::style()->toTextLayoutList() will be returning a QList<QTextLayout::FormatRange> containing a single FormatRange for the entire line of text, using a regular formatting string

layout.setAdditionalFormats(QtUi::style()->toTextLayoutList(_styledMsg.contentsFormatList(), length, messageLabel()));
layout.beginLayout();
QTextLine line = layout.createLine();
line.setNumColumns(length); // Crash occurs deep inside this function
layout.endLayout();

The stack trace from that function call to the crash point is as follows:

QtCored4.dll!Lookup_MarkMarkPos(GPOS_Instance_ * gpi=0x01b7bc28, HB_GPOS_SubTable_ * st=0x130dc388, HB_BufferRec_ * buffer=0x130b91a8, unsigned short flags=1024, unsigned short context_length=65535, int nesting_level=1) Line 3016 + 0x11 bytes C
QtCored4.dll!GPOS_Do_Glyph_Lookup(GPOS_Instance_ * gpi=0x01b7bc28, unsigned short lookup_index=15, HB_BufferRec_ * buffer=0x130b91a8, unsigned short context_length=65535, int nesting_level=1) Line 5809 + 0x1f bytes C
QtCored4.dll!GPOS_Do_String_Lookup(GPOS_Instance_ * gpi=0x01b7bc28, unsigned short lookup_index=15, HB_BufferRec_ * buffer=0x130b91a8) Line 5899 + 0x1b bytes C
QtCored4.dll!HB_GPOS_Apply_String(HB_Font_ * font=0x130b3245, HB_GPOSHeader_ * gpos=0x130c5050, unsigned short load_flags=0, HB_BufferRec_ * buffer=0x130b91a8, unsigned char dvi=0, unsigned char r2l=0) Line 6070 + 0x12 bytes C
QtCored4.dll!HB_OpenTypePosition(HB_ShaperItem_ * item=0x01b7beb8, int availableGlyphs=20, unsigned char doLogClusters='') Line 1202 + 0x26 bytes C++
QtCored4.dll!HB_BasicShape(HB_ShaperItem_ * shaper_item=0x01b7beb8) Line 575 + 0xf bytes C++
QtCored4.dll!HB_ShapeItem(HB_ShaperItem_ * shaper_item=0x01b7beb8) Line 1334 + 0x13 bytes C++
QtCored4.dll!qShapeItem(HB_ShaperItem_ * item=0x01b7beb8) Line 120 + 0x9 bytes C++
QtGuid4.dll!QTextEngine::shapeTextWithHarfbuzz(int item=0) Line 1275 + 0xd bytes C++
QtGuid4.dll!QTextEngine::shapeText(int item=0) Line 877 C++
QtGuid4.dll!QTextEngine::shape(int item=0) Line 1383 C++
QtGuid4.dll!QTextLine::layout_helper(int maxGlyphs=176) Line 1837 C++
QtGuid4.dll!QTextLine::setNumColumns(int numColumns=176) Line 1641 C++

At the crash point, line 3015 of harfbuzz-gpos.c, buffer->in_pos == 11, i == 12, and j == 65535. It crashes attempting to read from the input string buffer at index 65535.