diff --git a/src/core/SkTextBlob.cpp b/src/core/SkTextBlob.cpp
index f686f29e83..182cf72ec2 100644
--- a/src/core/SkTextBlob.cpp
+++ b/src/core/SkTextBlob.cpp
@@ -809,7 +809,7 @@ sk_sp<SkTextBlob> SkTextBlob::MakeFromBuffer(SkReadBuffer& reader) {
             return nullptr;
         }
         int textSize = pe.extended ? reader.read32() : 0;
-        if (textSize < 0) {
+        if (textSize < 0 || static_cast<size_t>(textSize) > reader.size()) {
             return nullptr;
         }