diff --git a/ChangeLog b/ChangeLog
index 480a6a6..1f11d56 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,9 @@
 	Check range of `glyph_index'.
 	* src/cff/cffgload.h: Updated.
 
+	* src/sfnt/ttcmap.c (tt_face_build_cmaps): Handle invalid offset
+	correctly.
+
 2006-03-21  David Turner  <david@freetype.org>
 
 	* src/autofit/aflatin.c (af_latin_metrics_scale): Fix small bug
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index 4c1a340..d8f2ae3 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -2271,7 +2271,7 @@
       charmap.encoding    = FT_ENCODING_NONE;  /* will be filled later */
       offset              = TT_NEXT_ULONG( p );
 
-      if ( offset && table + offset + 2 <= limit )
+      if ( offset && offset <= face->cmap_size - 2 )
       {
         FT_Byte*                       cmap   = table + offset;
         volatile FT_UInt               format = TT_PEEK_USHORT( cmap );