freetype: heap buffer over-read in Type1 parser parse_subrs() (#35606)

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service invalid heap read operation and memory corruption or possibly execute arbitrary code via crafted dictionary data in a Type 1 font...