diff --git a/ChangeLog b/ChangeLog
index 5286ee8c3..8fb955e9d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-10-08  Werner Lemberg  <wl@gnu.org>
+
+	[type1] Protect against invalid number of subroutines (#46150).
+
+	* src/type1/t1load.c (parse_subrs): Check number of
+	`Subrs' dictionary entries against size of data stream.
+
 2015-10-07  Kostya Serebryany  <kcc@google.com>
 
 	[ftfuzzer] Add support for LLVM's LibFuzzer.
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index dbf4eafd7..01fb60fe8 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1420,6 +1420,21 @@
     }
 
     num_subrs = (FT_Int)T1_ToInt( parser );
+    if ( num_subrs < 0 )
+    {
+      parser->root.error = FT_THROW( Invalid_File_Format );
+      return;
+    }
+
+    /* we certainly need more than 8 bytes per subroutine */
+    if ( num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 )
+    {
+      FT_TRACE0(( "parse_subrs: adjusting number of subroutines"
+                  " (from %d to %d)\n",
+                  num_subrs,
+                  ( parser->root.limit - parser->root.cursor ) >> 3 ));
+      num_subrs = ( parser->root.limit - parser->root.cursor ) >> 3;
+    }
 
     /* position the parser right before the `dup' of the first subr */
     T1_Skip_PS_Token( parser );         /* `array' */