[psaux] Fix another assertion.

* src/psaux/psintrp.c (cf2_interpT2CharString)
<cf2_escCALLOTHERSUBR>: Convert assertion into error, since the
problem can happen with invalid user input.

Test case is file

  fuzzing/corpora/legacy/oss-fuzz/5754332360212480-unknown-read

in the `freetype2-testing` repository.

ChangeLog

@@ -1,3 +1,17 @@
+2021-06-12  Werner Lemberg  <wl@gnu.org>
+
+	[psaux] Fix another assertion.
+
+	* src/psaux/psintrp.c (cf2_interpT2CharString)
+	<cf2_escCALLOTHERSUBR>: Convert assertion into error, since the
+	problem can happen with invalid user input.
+
+	Test case is file
+
+	  fuzzing/corpora/legacy/oss-fuzz/5754332360212480-unknown-read
+
+	in the `freetype2-testing` repository.
+
 2021-06-12  Werner Lemberg  <wl@gnu.org>
 
 	[psaux] Fix assertions.
@@ -5,6 +19,12 @@
 	* src/psaux/pshints.c (cf2_hintmap_adjustHints): Check for overflow
 	before emitting an assertion error.
 
+	Test case is file
+
+	 fuzzing/corpora/legacy/oss-fuzz/4594115297673216-integer-overflow
+
+	in the `freetype2-testing` repository.
+
 2021-06-09  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	* src/truetype/ttinterp.c (TT_RunIns): Optimize tracing. 

src/psaux/psintrp.c

@@ -1670,7 +1670,13 @@
                      */
 
                     count = cf2_stack_count( opStack );
-                    FT_ASSERT( (CF2_UInt)arg_cnt <= count );
+                    if ( (CF2_UInt)arg_cnt > count )
+                    {
+                      FT_ERROR(( "cf2_interpT2CharString (Type 1 mode):"
+                                 " stack underflow\n" ));
+                      lastError = FT_THROW( Invalid_Glyph_Format );
+                      goto exit;
+                    }
 
                     opIdx += count - (CF2_UInt)arg_cnt;