Add a bounds check to cairo_cff_font_read_fdselect()

The code in cairo-cff-subset.c parses a binary format without seeming to bother much with verifying the data. The result is that poppler can be used to cause an out-of-bounds write in cairo_cff_font_read_fdselect() via a crafted font file. Fix this by adding the needed length check.

The other code in the file also contains lots of similar things. Since I cannot really fix everything properly, I'll just fix the one instance that was found by a fuzzer.

No testcase is added, because this depends on a broken font that is quite large. Adding something this big to the test suite does not seem sensible.

Fixes: #451 (closed) Signed-off-by: Uli Schlachter psychon@znc.in