=== src/sfnt/ttmtx.c
==================================================================
--- src/sfnt/ttmtx.c	(revision 3231)
+++ src/sfnt/ttmtx.c	(local)
@@ -85,6 +85,9 @@
       ptable_size = &face->horz_metrics_size;
     }
     
+    if ( *ptable )
+      return SFNT_Err_Ok;
+
     if ( FT_FRAME_EXTRACT( table_size, *ptable ) )
       goto Fail;
       
@@ -142,6 +145,9 @@
       shorts = (TT_ShortMetrics**)&face->horizontal.short_metrics;
     }
 
+    if ( num_longs == 0 )
+      return SFNT_Err_Invalid_Table;
+
     /* never trust derived values */
 
     num_shorts         = face->max_profile.numGlyphs - num_longs;
@@ -352,6 +358,9 @@
       limit  = p + face->horz_metrics_size;
     }
 
+    if ( !p )
+      goto NoData;
+
     k = header->number_Of_HMetrics;
 
     if ( k > 0 )
=== src/sfnt/ttsbit.c
==================================================================
--- src/sfnt/ttsbit.c	(revision 3231)
+++ src/sfnt/ttsbit.c	(local)
@@ -640,6 +640,11 @@
                            FT_Size_Request  req,
                            FT_ULong*        astrike_index )
   {
+#ifdef FT_CONFIG_OPTION_OLD_INTERNALS
+    if ( (FT_UInt)req < 0x1000 )
+      return FT_Err_Invalid_Pixel_Size;
+#endif
+
     return FT_Match_Size( (FT_Face)face, req, 0, astrike_index );
   }
 
=== src/sfnt/ttsbit0.c
==================================================================
--- src/sfnt/ttsbit0.c	(revision 3231)
+++ src/sfnt/ttsbit0.c	(local)
@@ -170,6 +170,11 @@
                            FT_Size_Request  req,
                            FT_ULong*        astrike_index )
   {
+#ifdef FT_CONFIG_OPTION_OLD_INTERNALS
+        if ( (FT_UInt)req < 0x1000 )
+                return FT_Err_Invalid_Pixel_Size;
+#endif
+
     return FT_Match_Size( (FT_Face)face, req, 0, astrike_index );
   }