diff --git a/src/pefile.cpp b/src/pefile.cpp
index 865738ec..397420a2 100644
--- a/src/pefile.cpp
+++ b/src/pefile.cpp
@@ -3106,6 +3106,9 @@ PeFile32::~PeFile32() noexcept {}
 
 void PeFile32::readPeHeader() {
     fi->readx(&ih, sizeof(ih));
+    if (31 < (unsigned) ih.subsystem) {
+        throwCantPack("bad ih.subsystem 0x%x", (unsigned) ih.subsystem);
+    }
     isefi = ((1u << ih.subsystem) &
              ((1u << IMAGE_SUBSYSTEM_EFI_APPLICATION) |
               (1u << IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) |
@@ -3159,6 +3162,9 @@ PeFile64::~PeFile64() noexcept {}
 
 void PeFile64::readPeHeader() {
     fi->readx(&ih, sizeof(ih));
+    if (31 < (unsigned) ih.subsystem) {
+        throwCantPack("bad ih.subsystem 0x%x", (unsigned) ih.subsystem);
+    }
     isefi = ((1u << ih.subsystem) &
              ((1u << IMAGE_SUBSYSTEM_EFI_APPLICATION) |
               (1u << IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) |