Bug: tt_cmap4_char_map_binary() in ttcmap.c ~line 1408
Root cause: validator skips idRangeOffset bounds check for last (sentinel)
segment 0xFFFF–0xFFFF; runtime skips limit guard when
next==0 (direct FT_Get_Char_Index calls).
Platform: Linux / Android Chrome only (FreeType path).
Expected ASan output:
heap-buffer-overflow READ 2 ... tt_cmap4_char_map_binary