diff --git a/src/fccache.c b/src/fccache.c
index 02ec301..7e4e600 100644
--- a/src/fccache.c
+++ b/src/fccache.c
@@ -640,6 +640,8 @@ FcCacheOffsetsValid (FcCache *cache)
             FcPattern		*font = FcFontSetFont (fs, i);
             FcPatternElt	*e;
             FcValueListPtr	 l;
+	    ssize_t              c;
+	    char                *begin;
 
             if ((char *) font < base ||
                 (char *) font > end - sizeof (FcFontSet) ||
@@ -653,11 +655,18 @@ FcCacheOffsetsValid (FcCache *cache)
             if (e->values != 0 && !FcIsEncodedOffset(e->values))
                 return FcFalse;
 
-            for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l))
-                if (l->next != NULL && !FcIsEncodedOffset(l->next))
-                    break;
-            if (j < 0)
-                return FcFalse;
+	    for (j = 0; j < font->num; j++)
+	    {
+		begin = (char *)FcPatternEltValues(&e[j]);
+		c = (end - begin) / sizeof (FcValueList);
+		for (l = FcPatternEltValues(&e[j]); l; l = FcValueListNext(l))
+		{
+		    if ((char *) l < begin || (char *)l > end - sizeof (*l) ||
+			(l->next != NULL && !FcIsEncodedOffset(l->next)) ||
+			c-- <= 0)
+			return FcFalse;
+		}
+	    }
         }
     }