diff --git a/ChangeLog b/ChangeLog
index da4415155..df93a20cd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-02-19  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Emit better error code for invalid private dict size.
+
+	* src/cff/cffparse.c (cff_parse_private_dict): Reject negative
+	values for size and offset.
+
 2015-02-19  Werner Lemberg  <wl@gnu.org>
 
 	[autofit] Fix signedness issues.
diff --git a/src/cff/cffparse.c b/src/cff/cffparse.c
index 9a2d8115c..262ecc237 100644
--- a/src/cff/cffparse.c
+++ b/src/cff/cffparse.c
@@ -617,14 +617,34 @@
 
     if ( parser->top >= parser->stack + 2 )
     {
-      dict->private_size   = cff_parse_num( data++ );
-      dict->private_offset = cff_parse_num( data   );
+      FT_Long  tmp;
+
+
+      tmp = cff_parse_num( data++ );
+      if ( tmp < 0 )
+      {
+        FT_ERROR(( "cff_parse_private_dict: Invalid dictionary size\n" ));
+        error = FT_THROW( Invalid_File_Format );
+        goto Fail;
+      }
+      dict->private_size = (FT_ULong)tmp;
+
+      tmp = cff_parse_num( data );
+      if ( tmp < 0 )
+      {
+        FT_ERROR(( "cff_parse_private_dict: Invalid dictionary offset\n" ));
+        error = FT_THROW( Invalid_File_Format );
+        goto Fail;
+      }
+      dict->private_offset = (FT_ULong)tmp;
+
       FT_TRACE4(( " %lu %lu\n",
                   dict->private_size, dict->private_offset ));
 
       error = FT_Err_Ok;
     }
 
+  Fail:
     return error;
   }