gs_type2_interpret() doesn't check the validity of the input stream. ce2_hflex operator writes below the bottom of the stack when there's too few operands. This can be exploited to get the control or crash GS.
Some of the decisions in gs_type2_interpret() looked suspicious to me, but I never had a sample file to demonstrate the problem. With the switch to FreeType renderer this issue is no longer important.