diff --git a/ChangeLog b/ChangeLog
index 5b43aa733..227e94e1f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2018-08-14  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Fix segv.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9864
+
+	* src/psaux/cffdecode.c (cff_decoder_parse_charstrings)
+	<cff_op_random> [CFF_CONFIG_OPTION_OLD_ENGINE]: Use top dict's
+	`random' field directly if parsing dictionaries.
+
 2018-08-13  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	[bdf] Use unsigned types.
diff --git a/src/psaux/cffdecode.c b/src/psaux/cffdecode.c
index 024eb9c8b..3f4ea15cb 100644
--- a/src/psaux/cffdecode.c
+++ b/src/psaux/cffdecode.c
@@ -1712,16 +1712,20 @@
           break;
 
         case cff_op_random:
-          FT_TRACE4(( " random\n" ));
+          {
+            FT_UInt32*  randval = in_dict ? &decoder->cff->top_font.random
+                                          : &decoder->current_subfont->random;
 
-          /* only use the lower 16 bits of `random'  */
-          /* to generate a number in the range (0;1] */
-          args[0] = (FT_Fixed)
-                      ( ( decoder->current_subfont->random & 0xFFFF ) + 1 );
-          args++;
 
-          decoder->current_subfont->random =
-            cff_random( decoder->current_subfont->random );
+            FT_TRACE4(( " random\n" ));
+
+            /* only use the lower 16 bits of `random'  */
+            /* to generate a number in the range (0;1] */
+            args[0] = (FT_Fixed)( ( *randval & 0xFFFF ) + 1 );
+            args++;
+
+            *randval = cff_random( *randval );
+          }
           break;
 
         case cff_op_mul: