diff --git a/ChangeLog b/ChangeLog
index 8ecd24224..769cb24ff 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-12-21  Werner Lemberg  <wl@gnu.org>
+
+	[base] Improve sanity check for Mac resources (#49888).
+
+	* src/base/ftobjs.c (Mac_Read_sfnt_Resource): Abort if `rlen' is not
+	positive.
+
 2016-12-20  Werner Lemberg  <wl@gnu.org>
 
 	[base] More sanity checks for Mac resources.
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 233c13c46..09cfe7aa4 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1842,7 +1842,7 @@
 
     if ( FT_READ_LONG( rlen ) )
       goto Exit;
-    if ( rlen == -1 )
+    if ( rlen < 1 )
       return FT_THROW( Cannot_Open_Resource );
     if ( (FT_ULong)rlen > FT_MAC_RFORK_MAX_LEN )
       return FT_THROW( Invalid_Offset );