The code in cairo-cff-subset.c parses a binary font format without
seeming to bother much verifying the data. The result is that poppler
can be used to cause an out-of-bounds access in
cairo_cff_parse_charstring() via a crafted font file. Fix this by adding
the needed length check.

The other code in the file also contains lots of similar things. Since I
cannot really fix everything properly, I'll just fix the one instance
that was found by a fuzzer.

No testcase is added, because this depends on a broken font that is
quite large. Adding something this big to the test suite does not seem
sensible.

Fixes: #444


Signed-off-by: Uli Schlachter <psychon@znc.in>