diff --git a/ChangeLog b/ChangeLog
index c01ecb8cc..63dc3f355 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2010-06-27  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Protect against invalid `hintmask' and `cntrmask' operators.
+
+	* src/cff/cffgload.c (cff_decoder_parse_charstrings)
+	<cff_op_hintmask>: Ensure that we don't exceed `limit' while parsing
+	the bit masks of the `hintmask' and `cntrmask' operators.
+
 2010-06-26  Werner Lemberg  <wl@gnu.org>
 
 	Fix PFR change 2010-06-24.
diff --git a/src/cff/cffgload.c b/src/cff/cffgload.c
index 67190182d..51efcb9a9 100644
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@@ -1341,6 +1341,14 @@
 
           if ( hinter )
           {
+            /* In a valid charstring there must be at least three bytes */
+            /* after `hintmask' or `cntrmask' (two for a `moveto'       */
+            /* operator and one for `endchar').  Additionally, there    */
+            /* must be space for `num_hints' bits.                      */
+
+            if ( ( ip + 3 + ( decoder->num_hints >> 8 ) ) >= limit )
+              goto Syntax_Error;
+
             if ( op == cff_op_hintmask )
               hinter->hintmask( hinter->hints,
                                 builder->current->n_points,
@@ -1360,7 +1368,7 @@
             FT_TRACE4(( " (maskbytes:" ));
 
             for ( maskbyte = 0;
-                  maskbyte < (FT_UInt)(( decoder->num_hints + 7 ) >> 3);
+                  maskbyte < (FT_UInt)( ( decoder->num_hints + 7 ) >> 3 );
                   maskbyte++, ip++ )
               FT_TRACE4(( " 0x%02X", *ip ));