diff --git a/ChangeLog b/ChangeLog
index 8544a4132..e6d060258 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2010-09-19  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+ 
+	[cff] Truncate the element length at the end of the stream.
+	See Savannah bug #30975.
+ 
+	* src/cff/cffload.c (cff_index_access_element): `off2', the
+ 	offset to the next element is truncated at the end of the
+	stream to prevent invalid I/O.  As `off1', the offset to the
+	requested element has been checked by FT_STREAM_SEEK(),
+	`off2' should be checked similarly.
+
 2010-09-19  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
 
 	[cff] Ignore CID > 0xFFFFU.
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index 8f2934358..c0f21097a 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -519,6 +519,17 @@
         }
       }
 
+      /* XXX: should check off2 does not exceed the end of this entry   */
+      /*      at present, only truncate off 2 at the end of this stream */
+      if ( idx->data_offset + off2 - 1 > stream->size )
+      {
+        FT_ERROR(( "cff_index_access_element:"
+                   " offset to next entry (%d)"
+                   " exceeds the end of stream (%d)\n",
+                   off2, stream->size - idx->data_offset + 1 ));
+        off2 = stream->size - idx->data_offset + 1;
+      }
+
       /* access element */
       if ( off1 && off2 > off1 )
       {