diff --git a/src/hb-ot-cff1-table.hh b/src/hb-ot-cff1-table.hh
index 05394038a..39da8fa7a 100644
--- a/src/hb-ot-cff1-table.hh
+++ b/src/hb-ot-cff1-table.hh
@@ -392,13 +392,15 @@ struct Charset1_2 {
     return 0;
   }
 
-  inline hb_codepoint_t get_glyph (hb_codepoint_t sid) const
+  inline hb_codepoint_t get_glyph (hb_codepoint_t sid, unsigned int num_glyphs) const
   {
     if (sid == 0) return 0;
     hb_codepoint_t  glyph = 1;
     for (unsigned int i = 0;; i++)
     {
-      if ((ranges[i].first <= sid) && sid <= ranges[i].first + ranges[i].nLeft)
+      if (glyph >= num_glyphs)
+      	return 0;
+      if ((ranges[i].first <= sid) && (sid <= ranges[i].first + ranges[i].nLeft))
 	return glyph + (sid - ranges[i].first);
       glyph += (ranges[i].nLeft + 1);
     }
@@ -550,9 +552,9 @@ struct Charset {
     if (format == 0)
       return u.format0.get_glyph (sid, num_glyphs);
     else if (format == 1)
-      return u.format1.get_glyph (sid);
+      return u.format1.get_glyph (sid, num_glyphs);
     else
-      return u.format2.get_glyph (sid);
+      return u.format2.get_glyph (sid, num_glyphs);
   }
 
   HBUINT8       format;
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5700264032468992 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5700264032468992
new file mode 100644
index 000000000..82a462bc4
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5700264032468992 differ