The parse_charstrings function in type1/t1load.c in FreeType 2 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file.
Created freetype tracking bugs for this issue:
Affects: fedora-all [bug 1429968]
Created mingw-freetype tracking bugs for this issue:
Affects: epel-7 [bug 1429969]
Affects: fedora-all [bug 1429967]
As per the patch, seems to be a OOB read, causing a crash. I dont have access to the reproducer, but seems all versions of freetype shipped with Red Hat Enterprise Linux are affected.