diff --git a/ChangeLog b/ChangeLog
index 02539f6b6..77e825baa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-05-16  Werner Lemberg  <wl@gnu.org>
+
+	[base] Reject invalid sfnt Mac resource (#47891).
+
+	* src/base/ftobjs.c (open_face_PS_from_sfnt_stream): Check validity
+	of `CID ' and `TYPE1' table offset and length.
+
 2016-05-16  Werner Lemberg  <wl@gnu.org>
 
 	[cid] Fix scanning for `StartData' and `/sfnts' (#47892).
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index af38d04bf..ff6ac11f2 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1483,6 +1483,7 @@
       if ( face_index >= 0 && pstable_index == face_index )
         return FT_Err_Ok;
     }
+
     return FT_THROW( Table_Missing );
   }
 
@@ -1520,6 +1521,19 @@
     if ( error )
       goto Exit;
 
+    if ( offset > stream->size )
+    {
+      FT_TRACE2(( "open_face_PS_from_sfnt_stream: invalid table offset\n" ));
+      error = FT_THROW( Invalid_Table );
+      goto Exit;
+    }
+    else if ( length > stream->size - offset )
+    {
+      FT_TRACE2(( "open_face_PS_from_sfnt_stream: invalid table length\n" ));
+      error = FT_THROW( Invalid_Table );
+      goto Exit;
+    }
+
     error = FT_Stream_Seek( stream, pos + offset );
     if ( error )
       goto Exit;
@@ -1528,7 +1542,8 @@
       goto Exit;
 
     error = FT_Stream_Read( stream, (FT_Byte *)sfnt_ps, length );
-    if ( error ) {
+    if ( error )
+    {
       FT_FREE( sfnt_ps );
       goto Exit;
     }