diff --git a/ChangeLog b/ChangeLog
index 6b9601724..7bb5fc1df 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2010-05-18  Hongbo Ni  <hongbo@njstar.com>
+
+	Apply patch #7196.
+
+	* src/cff/cffgload.c (cff_slot_load): Prevent crash if CFF subfont
+	index is out of range.
+
 2010-05-11  Werner Lemberg  <wl@gnu.org>
 
 	* docs/formats.txt: Give pointer to PCF documentation.
diff --git a/src/cff/cffgload.c b/src/cff/cffgload.c
index f241bb4de..9e4dfc561 100644
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@@ -2667,11 +2667,15 @@
     /* this scaling is only relevant if the PS hinter isn't active */
     if ( cff->num_subfonts )
     {
-      FT_Byte  fd_index = cff_fd_select_get( &cff->fd_select,
-                                             glyph_index );
+      FT_ULong  top_upm, sub_upm;
+      FT_Byte   fd_index = cff_fd_select_get( &cff->fd_select,
+                                              glyph_index );
 
-      FT_ULong  top_upm = cff->top_font.font_dict.units_per_em;
-      FT_ULong  sub_upm = cff->subfonts[fd_index]->font_dict.units_per_em;
+      if ( fd_index >= cff->num_subfonts ) 
+        fd_index = cff->num_subfonts - 1;
+
+      top_upm = cff->top_font.font_dict.units_per_em;
+      sub_upm = cff->subfonts[fd_index]->font_dict.units_per_em;
 
 
       font_matrix = cff->subfonts[fd_index]->font_dict.font_matrix;