freetype: off-by-one buffer over-read in parse_charstrings() / t42_parse_charstrings()
FreeType before 2.5.4 does not check for the end of the data during certain parsing actions, which allows remote attackers to cause a denial of service out-of-bounds read or possibly have unspecified other impact via a crafted Type42 font, related to type42/t42parse.c and type1/t1load.c...