diff --git a/ChangeLog b/ChangeLog
index 777248a36..4e1e66402 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,9 @@
 
 	* src/pfr/pfrtypes.h (PFR_GlyphRec): Comment out unused code.
 
+
+	* src/winfnt/winfnt.c (FNT_Face_Init): Check `family_size'.
+
 2007-06-04  Werner Lemberg  <wl@gnu.org>
 
 	* src/cid/cidgload.c (cid_load_glyph): Check `fd_select'.
diff --git a/src/winfonts/winfnt.c b/src/winfonts/winfnt.c
index d0251cf78..31ae54556 100644
--- a/src/winfonts/winfnt.c
+++ b/src/winfonts/winfnt.c
@@ -536,11 +536,17 @@
       root->num_glyphs = font->header.last_char -
                          font->header.first_char + 1 + 1;
 
+      if ( font->header.face_name_offset >= font->header.file_size )
+      {
+        FT_TRACE2(( "invalid family name offset!\n" ));
+        error = FNT_Err_Invalid_File_Format;
+        goto Fail;
+      }
+      family_size = font->header.file_size - font->header.face_name_offset;
       /* Some broken fonts don't delimit the face name with a final */
       /* NULL byte -- the frame is erroneously one byte too small.  */
       /* We thus allocate one more byte, setting it explicitly to   */
       /* zero.                                                      */
-      family_size = font->header.file_size - font->header.face_name_offset;
       if ( FT_ALLOC( font->family_name, family_size + 1 ) )
         goto Fail;