diff --git a/ChangeLog b/ChangeLog
index b928d36fd..9ddfad2c4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2018-08-21  Werner Lemberg  <wl@gnu.org>
+
+	* src/sfnt/ttcpal.c (tt_face_load_cpal): Add missing safety check.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9981
+
 2018-08-18  Werner Lemberg  <wl@gnu.org>
 
 	[psaux] Avoid slow PS font parsing in case of error.
diff --git a/src/sfnt/ttcpal.c b/src/sfnt/ttcpal.c
index b18f0aa13..be1b00412 100644
--- a/src/sfnt/ttcpal.c
+++ b/src/sfnt/ttcpal.c
@@ -121,6 +121,9 @@
     if ( cpal->num_colors * COLOR_SIZE > table_size - colors_offset )
       goto InvalidTable;
 
+    if ( face->palette_data.num_palette_entries > cpal->num_colors )
+      goto InvalidTable;
+
     cpal->color_indices = p;
     cpal->colors        = (FT_Byte*)( table + colors_offset );