diff --git a/ChangeLog b/ChangeLog
index 48e7836c6..2b8fce821 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2018-11-07  Ben Wagner  <bungeman@google.com>
+
+	[truetype] Fix VF check from 2018-09-12 (#54973).
+
+	* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Use correct
+	offsets for estimates.
+
 2018-11-06  Werner Lemberg  <wl@gnu.org>
 
 	[pshinter] Fix numeric overflow.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index ae425e48e..8fda112b0 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -3725,8 +3725,8 @@
     offsetToData = FT_GET_USHORT();
 
     /* rough sanity test */
-    if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
-           dataSize )
+    if ( offsetToData > dataSize                                ||
+         ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 > dataSize )
     {
       FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:"
                   " invalid glyph variation array header\n" ));