diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh
index b2b2f0ef0..738b0c8ec 100644
--- a/src/hb-ot-layout-gpos-table.hh
+++ b/src/hb-ot-layout-gpos-table.hh
@@ -2064,6 +2064,9 @@ struct LigatureArray : OffsetListOf<LigatureAttach>
     unsigned ligature_count = 0;
     for (hb_codepoint_t gid : coverage)
     {
+      if (ligature_count >= this->len)
+        break;
+
       ligature_count++;
       if (!glyphset.has (gid)) continue;
 
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4901143794810880 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4901143794810880
new file mode 100644
index 000000000..d6624f380
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4901143794810880 differ
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6372147008241664 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6372147008241664
new file mode 100644
index 000000000..696bd6e74
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6372147008241664 differ