Backport of:

From 8474e1d6b896e35741d3c608ea5c21deeec1078f Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 13 Jan 2025 09:15:01 +0000
Subject: Bug 708241: Fix potential Buffer overflow with DollarBlend

During serializing a multiple master font for passing to Freetype.

Use CVE-2025-27830
---
 base/write_t1.c | 9 +++++----
 psi/zfapi.c     | 9 +++++++--
 2 files changed, 12 insertions(+), 6 deletions(-)

--- a/base/write_t1.c
+++ b/base/write_t1.c
@@ -454,6 +454,7 @@ write_main_dictionary(gs_fapi_font * a_f
     WRF_wbyte(a_fapi_font->memory, a_output, '\n');
     if (is_MM_font(a_fapi_font)) {
         short x, x2;
+        unsigned short ux;
         float x1;
         uint i, j, entries;
         char Buffer[255];
@@ -548,14 +549,14 @@ write_main_dictionary(gs_fapi_font * a_f
          * be because the "get_proc" method below was missing the code to handle PS name
          * objects.
          */
-        if ((x =
+        if ((ux =
              a_fapi_font->get_word(a_fapi_font,
                                    gs_fapi_font_feature_DollarBlend_length,
                                    0)) > 0) {
             WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {");
 
             if (a_output->m_count)
-                a_output->m_count += x;
+                a_output->m_count += ux;
             x = a_fapi_font->get_proc(a_fapi_font,
                                       gs_fapi_font_feature_DollarBlend, 0,
                                       (char *)a_output->m_pos);
--- a/psi/zfapi.c
+++ b/psi/zfapi.c
@@ -618,6 +618,10 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fa
                         default:
                             break;
                     }
+
+                    if (length > max_ushort) {
+                        return 0;
+                    }
                 }
                 return length;
             }