diff --git a/ChangeLog b/ChangeLog
index 8fed6a2a3..b89a08255 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2016-12-16  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Fix `cvar' sanity test.
+
+	Reported by Dave Arnold.
+
+	* src/truetype/ttgxvar.c (tt_face_vary_cvt): Use tuple count mask.
+
 2016-12-16  Werner Lemberg  <wl@gnu.org>
 
 	[cff, truetype] Remove compiler warnings; fix `make multi'.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index dae0cb7ed..12a316036 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -2020,7 +2020,8 @@
     offsetToData = FT_GET_USHORT();
 
     /* rough sanity test */
-    if ( offsetToData + tupleCount * 4 > table_len )
+    if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
+           table_len )
     {
       FT_TRACE2(( "tt_face_vary_cvt:"
                   " invalid CVT variation array header\n" ));