diff --git a/ChangeLog b/ChangeLog
index f305ef672..270389be7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2012-02-26  Werner Lemberg  <wl@gnu.org>
+
+	[type1] Fix Savannah bug #35608.
+
+	* src/type1/t1parse.c (T1_Get_Private_Dict): Reject too short
+	dictionaries.
+
 2012-02-26  Werner Lemberg  <wl@gnu.org>
 
 	[bdf] Support `ENCODING -1 <n>' format.
diff --git a/src/type1/t1parse.c b/src/type1/t1parse.c
index d7b2ca53e..495527962 100644
--- a/src/type1/t1parse.c
+++ b/src/type1/t1parse.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    Type 1 parser (body).                                                */
 /*                                                                         */
-/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008, 2009 by             */
+/*  Copyright 1996-2005, 2008, 2009, 2012 by                               */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -467,6 +467,14 @@
     /* we now decrypt the encoded binary private dictionary */
     psaux->t1_decrypt( parser->private_dict, parser->private_len, 55665U );
 
+    if ( parser->private_len < 4 )
+    {
+      FT_ERROR(( "T1_Get_Private_Dict:"
+                 " invalid private dictionary section\n" ));
+      error = T1_Err_Invalid_File_Format;
+      goto Fail;
+    }
+
     /* replace the four random bytes at the beginning with whitespace */
     parser->private_dict[0] = ' ';
     parser->private_dict[1] = ' ';