[psaux] Full bounds check for OtherSubr 19.

It is possible for OtherSubr 19 to be invoked when decoder->buildchar is NULL (so the decoder->len_buildchar is 0), the blend is non-NULL with blend->num_designs set to 2, and the user supplied idx to be large (for example 0xFFFFFFFE). Since these are all FT_UInt32 the existing bounds check overflows in a well defined manner, allowing for an invalid call to memcpy.

In addition, it is possible to call OtherSubr 19 with decoder->len_buildchar, blend->num_designs, and idx all zero (implying that blend->weight_vector and decoder->buildchar are NULL). This passes the bounds check (it is logically always fine to copy nothing starting at index zero) but may invoke undefined behavior in ft_memcpy if it is backed by memcpy. Calling memcpy with either the src or dst NULL is undefined behavior (even if count is zero).

• src/psaux/psintrp.c (cf2_interpT2CharString): Correctly check that blend->num_designs can be copied to decoder->buildchar[idx]. Also avoid passing NULL to ft_memcpy.

Bug: https://crbug.com/1299259