diff --git a/ChangeLog b/ChangeLog
index 25fb10c7c..c58d6bf6a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-07-08  Werner Lemberg  <wl@gnu.org>
+
+	[psaux] Add better argument check for `callothersubr'.
+
+	* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+	<op_callothersubr>: Reject negative arguments.
+
 2011-07-07  Werner Lemberg  <wl@gnu.org>
 
 	[sfnt] Try harder to find non-zero values for ascender and descender.
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
index ea31c51b1..a60ec38af 100644
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -4,8 +4,7 @@
 /*                                                                         */
 /*    PostScript Type 1 decoding routines (body).                          */
 /*                                                                         */
-/*  Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009    */
-/*            2010 by                                                      */
+/*  Copyright 2000-2011 by                                                 */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -687,6 +686,9 @@
         subr_no = (FT_Int)( top[1] >> 16 );
         arg_cnt = (FT_Int)( top[0] >> 16 );
 
+        if ( arg_cnt < 0 || subr_no < 0 )
+          goto Unexpected_OtherSubr;
+
         /***********************************************************/
         /*                                                         */
         /* remove all operands to callothersubr from the stack     */