--- fontforge-20120731-b/fontforge/parsepdf.c	2012-08-02 16:09:09.000000000 +0100

+++ fontforge-20120731-b-new/fontforge/parsepdf.c	2013-02-07 17:44:05.371466086 +0000

@@ -1691,9 +1691,9 @@

     /* to "Unicode" values it specifies rather than to the real order in which the glyphs are */

     /* stored in the file */

     pos = cmap_from_cid || sf->map == NULL ? gid : sf->map->map[gid];

-    sc = sf->glyphs[pos];

-    if (pos >= 0 && pos < sf->glyphcnt && (sc->unicodeenc != uvals[0] || nuni > 1)) {

+    if (pos >= 0 && pos < sf->glyphcnt && (sf->glyphs[pos]->unicodeenc != uvals[0] || nuni > 1)) {

+	sc = sf->glyphs[pos];

 	/* Sometimes FF instead of assigning proper Unicode values to TTF glyphs keeps */

 	/* them encoded to the same codepoint, but creates for each glyph an alternate */

 	/* encoding, corresponding to the position this glyph has in the font's encoding */

@@ -1723,6 +1723,7 @@

     FILE *file;

     int i, j, gid, start, end, uni, cur=0, nuni, nhex, nchars, lo, *uvals;

     long *mappings;

+    size_t num_mappings;

     char tok[200], *ccval, prevtok[200];

     SplineFont *sf = basesf->subfontcnt > 0 ? basesf->subfonts[0] : basesf;

@@ -1733,9 +1734,14 @@

 return;

     rewind(file);

+    num_mappings = sf->glyphcnt;

     mappings = gcalloc(sf->glyphcnt,sizeof(long));

     while ( pdf_getprotectedtok(file,tok) >= 0 ) {

 	if ( strcmp(tok,"beginbfchar") == 0 && sscanf(prevtok,"%d",&nchars)) {

+	    if (cur + nchars >= num_mappings) {

+		num_mappings = cur + nchars;

+		mappings = grealloc(mappings, num_mappings * sizeof(long));

+	    }

 	    for (i=0; i

 		if (pdf_skip_brackets(file,tok) >= 0 && sscanf(tok,"%x",&gid) &&

 		    pdf_skip_brackets(file,tok) >= 0 && sscanf(tok,"%lx",&mappings[cur])) {