--- fontforge-20120731-b/fontforge/parsepdf.c	2012-08-02 16:09:09.000000000 +0100
+++ fontforge-20120731-b-new/fontforge/parsepdf.c	2013-02-07 17:44:05.371466086 +0000
@@ -1691,9 +1691,9 @@
     /* to "Unicode" values it specifies rather than to the real order in which the glyphs are */
     /* stored in the file */
     pos = cmap_from_cid || sf->map == NULL ? gid : sf->map->map[gid];
-    sc = sf->glyphs[pos];
     
-    if (pos >= 0 && pos < sf->glyphcnt && (sc->unicodeenc != uvals[0] || nuni > 1)) {
+    if (pos >= 0 && pos < sf->glyphcnt && (sf->glyphs[pos]->unicodeenc != uvals[0] || nuni > 1)) {
+	sc = sf->glyphs[pos];
 	/* Sometimes FF instead of assigning proper Unicode values to TTF glyphs keeps */
 	/* them encoded to the same codepoint, but creates for each glyph an alternate */
 	/* encoding, corresponding to the position this glyph has in the font's encoding */
@@ -1723,6 +1723,7 @@
     FILE *file;
     int i, j, gid, start, end, uni, cur=0, nuni, nhex, nchars, lo, *uvals;
     long *mappings;
+    size_t num_mappings;
     char tok[200], *ccval, prevtok[200];
     SplineFont *sf = basesf->subfontcnt > 0 ? basesf->subfonts[0] : basesf;
 
@@ -1733,9 +1734,14 @@
 return;
     rewind(file);
     
+    num_mappings = sf->glyphcnt;
     mappings = gcalloc(sf->glyphcnt,sizeof(long));
     while ( pdf_getprotectedtok(file,tok) >= 0 ) {
 	if ( strcmp(tok,"beginbfchar") == 0 && sscanf(prevtok,"%d",&nchars)) {
+	    if (cur + nchars >= num_mappings) {
+		num_mappings = cur + nchars;
+		mappings = grealloc(mappings, num_mappings * sizeof(long));
+	    }
 	    for (i=0; i<nchars; i++) {
 		if (pdf_skip_brackets(file,tok) >= 0 && sscanf(tok,"%x",&gid) &&
 		    pdf_skip_brackets(file,tok) >= 0 && sscanf(tok,"%lx",&mappings[cur])) {