[psaux] Fix another assertion.

* src/psaux/psintrp.c (cf2_interpT2CharString)
<cf2_escCALLOTHERSUBR>: Convert assertion into error, since the
problem can happen with invalid user input.

Test case is file

  fuzzing/corpora/legacy/oss-fuzz/5754332360212480-unknown-read

in the `freetype2-testing` repository.

2 files changed, 27 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 02fc1a5f9..07c9a7819 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,30 @@
 2021-06-12  Werner Lemberg  <wl@gnu.org>
 
+	[psaux] Fix another assertion.
+
+	* src/psaux/psintrp.c (cf2_interpT2CharString)
+	<cf2_escCALLOTHERSUBR>: Convert assertion into error, since the
+	problem can happen with invalid user input.
+
+	Test case is file
+
+	  fuzzing/corpora/legacy/oss-fuzz/5754332360212480-unknown-read
+
+	in the `freetype2-testing` repository.
+
+2021-06-12  Werner Lemberg  <wl@gnu.org>
+
 	[psaux] Fix assertions.
 
 	* src/psaux/pshints.c (cf2_hintmap_adjustHints): Check for overflow
 	before emitting an assertion error.
 
+	Test case is file
+
+	 fuzzing/corpora/legacy/oss-fuzz/4594115297673216-integer-overflow
+
+	in the `freetype2-testing` repository.
+
 2021-06-09  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	* src/truetype/ttinterp.c (TT_RunIns): Optimize tracing. 
diff --git a/src/psaux/psintrp.c b/src/psaux/psintrp.c
index cc1b67600..40e927663 100644
--- a/src/psaux/psintrp.c
+++ b/src/psaux/psintrp.c
@@ -1670,7 +1670,13 @@
                      */
 
                     count = cf2_stack_count( opStack );
-                    FT_ASSERT( (CF2_UInt)arg_cnt <= count );
+                    if ( (CF2_UInt)arg_cnt > count )
+                    {
+                      FT_ERROR(( "cf2_interpT2CharString (Type 1 mode):"
+                                 " stack underflow\n" ));
+                      lastError = FT_THROW( Invalid_Glyph_Format );
+                      goto exit;
+                    }
 
                     opIdx += count - (CF2_UInt)arg_cnt;