diff --git cairo-1.10.0/src/cairo-cff-subset.c cairo-1.10.0/src/cairo-cff-subset.c
index a4a434f..306edeb 100644
--- cairo-1.10.0/src/cairo-cff-subset.c
+++ cairo-1.10.0/src/cairo-cff-subset.c
@@ -1487,8 +1487,10 @@ cairo_cff_font_write_cid_fontdict (cairo_cff_font_t *font)
     offset_base = _cairo_array_num_elements (&font->output) - 1;
     *offset_array++ = cpu_to_be32(1);
     for (i = 0; i < font->num_subset_fontdicts; i++) {
+        int offset_array_base=((char*)offset_array)-((char*)*font->output.elements); // the cff_dict_write call below can grow our font->output array. this causes the offset_array to become invalid.
         status = cff_dict_write (font->fd_dict[font->fd_subset_map[i]],
                                  &font->output);
+        offset_array=((uint32_t*)(((char*)*font->output.elements)+offset_array_base)); // recalc the offset array, since cff_dict_write above may have grown font->output array
         if (unlikely (status))
             return status;
         *offset_array++ = cpu_to_be32(_cairo_array_num_elements (&font->output) - offset_base);