diff --git a/ChangeLog b/ChangeLog
index df83e9af5..61bd6149f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2009-06-19  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Fix handling of reserved byte 0xFF.
+
+	* src/cff/cffgload.c (cff_decoder_parse_charstrings): Abort if byte
+	0xFF is encountered.
+
 2009-06-19  Werner Lemberg  <wl@gnu.org>
 
 	Improve debug messages for Type1 charstrings.
diff --git a/src/cff/cffgload.c b/src/cff/cffgload.c
index 03956cab8..6cb26a43e 100644
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@@ -938,17 +938,9 @@
             goto Syntax_Error;
           val = -( (FT_Long)v - 251 ) * 256 - *ip++ - 108;
         }
-        else
-        {
-          if ( ip + 3 >= limit )
-            goto Syntax_Error;
-          val = ( (FT_Int32)ip[0] << 24 ) |
-                ( (FT_Int32)ip[1] << 16 ) |
-                ( (FT_Int32)ip[2] <<  8 ) |
-                            ip[3];
-          ip    += 4;
-          shift  = 0;
-        }
+        else /* 255 */
+          goto Syntax_Error;
+
         if ( decoder->top - stack >= CFF_MAX_OPERANDS )
           goto Stack_Overflow;