Via HackerOne, although this is not a security issue. PhutilRope does have a bug with byte handling, though.
- rPHUe0dd9c4efda1: Fix an issue with removing bytes in PhutilRope
Added a failing test and made it pass.
The bug was here: we incorrectly used $length instead of $remaining_length, so we could strip too many bytes off the buffer. I've tried to rename variables to make the method more clear, since $len, $length and $remaining_length were fairly confusing.
Prior to this fix, this incorrectly output "ddddddddd".