diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index 42181bf64..c73183473 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@@ -113,6 +113,8 @@ struct KerxSubTableFormat2
     unsigned int r = *(this+rightClassTable).get_value (right, num_glyphs);
     unsigned int offset = l + r;
     const FWORD *arr = &(this+array);
+    if (unlikely ((const void *) arr < (const void *) this || (const void *) arr >= (const void *) end))
+      return 0;
     const FWORD *v = &StructAtOffset<FWORD> (arr, offset);
     if (unlikely ((const void *) v < (const void *) arr || (const void *) (v + 1) > (const void *) end))
       return 0;
diff --git a/src/hb-aat-layout.cc b/src/hb-aat-layout.cc
index 5cd9621f1..71932e798 100644
--- a/src/hb-aat-layout.cc
+++ b/src/hb-aat-layout.cc
@@ -74,7 +74,9 @@ hb_aat_layout_substitute (hb_ot_shape_plan_t *plan,
 }
 
 void
-hb_aat_layout_position (hb_font_t *font, hb_buffer_t *buffer)
+hb_aat_layout_position (hb_ot_shape_plan_t *plan,
+			hb_font_t *font,
+			hb_buffer_t *buffer)
 {
 #if 0
   hb_blob_t *blob;