diff --git a/src/hb-ot-cff2-table.hh b/src/hb-ot-cff2-table.hh
index 5b8e6c778dc9e7df83dd970ab579df3f121f37b6..72a127bd52a501fb791920f9784435021ea25fbb 100644
--- a/src/hb-ot-cff2-table.hh
+++ b/src/hb-ot-cff2-table.hh
@@ -115,7 +115,7 @@ struct CFF2VariationStore
   inline bool sanitize (hb_sanitize_context_t *c) const
   {
     TRACE_SANITIZE (this);
-    return_trace (likely (c->check_struct (this)) && varStore.sanitize (c));
+    return_trace (likely (c->check_struct (this)) && c->check_range (&varStore, size) && varStore.sanitize (c));
   }
 
   inline bool serialize (hb_serialize_context_t *c, const CFF2VariationStore *varStore)
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5660711141769216 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5660711141769216
new file mode 100644
index 0000000000000000000000000000000000000000..302a1c4ef86356a72b098b5ebffd80c309f47841
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5660711141769216 differ