pdfwrite - fix buffer overrun in CIDToGIDMap

Bug #693854 "PDFA/2b conversion crashes often"

When converting TrueType fonts into CIDFOnts, because we are creating a PDF/A
output file, the calculated length of the CIDToGIDMap could be out by one
as the first CID is 0.

This later led to us writing beyond the end of the buffer, which could cause
real problems, depending on what was overwritten.

No differences expected.

1 files changed, 1 insertions, 1 deletions

diff --git a/gs/devices/vector/gdevpdtd.c b/gs/devices/vector/gdevpdtd.c
index 395d0531f..5a22f0084 100644
--- a/gs/devices/vector/gdevpdtd.c
+++ b/gs/devices/vector/gdevpdtd.c
@@ -797,7 +797,7 @@ pdf_convert_truetype_font_descriptor(gx_device_pdf *pdev, pdf_font_resource_t *p
     int FirstChar = pdfont->u.simple.FirstChar, LastChar = pdfont->u.simple.LastChar;
     pdf_encoding_element_t *Encoding = pdfont->u.simple.Encoding;
     int length_CIDSet = (pbfont->num_glyphs > LastChar ? (pbfont->num_glyphs + 7) / 8 : ((LastChar + 1) + 7 / 8));
-    int length_CIDToGIDMap = (pbfont->num_glyphs > LastChar ? pbfont->num_glyphs * sizeof(ushort) : (LastChar + 1) * sizeof(ushort));
+    int length_CIDToGIDMap = (pbfont->num_glyphs > LastChar ? (pbfont->num_glyphs + 1) * sizeof(ushort) : (LastChar + 1) * sizeof(ushort));
 
     pfd->FontType = ft_CID_TrueType;
     pdfont->u.simple.Encoding = NULL; /* Drop due to overlapping against a garbager problem. */