There is a Microsoft Font Subsetting DLL heap corruption vulnerability in ComputeFormat4CmapData.

MD5 | 1e6e251496d7be9a3bc32fd32fae64ff