diff --git a/src/harfbuzz.cc b/src/harfbuzz.cc
index fe0010097..14ee6f5e8 100644
--- a/src/harfbuzz.cc
+++ b/src/harfbuzz.cc
@@ -9,6 +9,7 @@
 #include "hb-fallback-shape.cc"
 #include "hb-font.cc"
 #include "hb-map.cc"
+#include "hb-ms-feature-ranges.cc"
 #include "hb-number.cc"
 #include "hb-ot-cff1-table.cc"
 #include "hb-ot-cff2-table.cc"
diff --git a/src/hb-ot-layout-common.hh b/src/hb-ot-layout-common.hh
index 5da487dd2..0b7878c77 100644
--- a/src/hb-ot-layout-common.hh
+++ b/src/hb-ot-layout-common.hh
@@ -2517,7 +2517,8 @@ struct VarRegionList
   {
     TRACE_SANITIZE (this);
     return_trace (c->check_struct (this) &&
-		  axesZ.sanitize (c, (unsigned int) axisCount * (unsigned int) regionCount));
+		  !hb_unsigned_mul_overflows (axisCount * regionCount, VarRegionAxis::static_size) &&
+		  axesZ.sanitize (c, axisCount * regionCount));
   }
 
   bool serialize (hb_serialize_context_t *c, const VarRegionList *src, const hb_bimap_t &region_map)
@@ -2527,7 +2528,9 @@ struct VarRegionList
     if (unlikely (!out)) return_trace (false);
     axisCount = src->axisCount;
     regionCount = region_map.get_population ();
-    if (unlikely (!c->allocate_size<VarRegionList> (get_size () - min_size))) return_trace (false);
+    if (unlikely (hb_unsigned_mul_overflows (axisCount * regionCount,
+					     VarRegionAxis::static_size))) return_trace (false);
+    if (unlikely (!c->extend<VarRegionList> (out))) return_trace (false);
     unsigned int region_count = src->get_region_count ();
     for (unsigned int r = 0; r < regionCount; r++)
     {
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5362189182566400 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5362189182566400
new file mode 100644
index 000000000..fb1b22670
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5362189182566400 differ