diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index 3cd80acfd..6b61186a9 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@@ -262,10 +262,12 @@ struct KerxSubTableFormat1
 
       if (Format1EntryT::performAction (entry))
       {
+	unsigned int tuple_count = MAX (1u, table->header.tuple_count ());
+
 	unsigned int kern_idx = Format1EntryT::kernActionIndex (entry);
 	kern_idx = Types::offsetToIndex (kern_idx, &table->machine, kernAction.arrayZ);
 	const FWORD *actions = &kernAction[kern_idx];
-	if (!c->sanitizer.check_array (actions, depth))
+	if (!c->sanitizer.check_array (actions, depth * tuple_count))
 	{
 	  depth = 0;
 	  return false;
@@ -276,8 +278,6 @@ struct KerxSubTableFormat1
 	/* From Apple 'kern' spec:
 	 * "Each pops one glyph from the kerning stack and applies the kerning value to it.
 	 * The end of the list is marked by an odd value... */
-	unsigned int tuple_count = table->header.tuple_count ();
-	tuple_count = tuple_count ? tuple_count : 1;
 	bool last = false;
 	while (!last && depth--)
 	{
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5629524117553152 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5629524117553152
new file mode 100644
index 000000000..01ca51737
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5629524117553152 differ