--- a/ChangeLog	
+++ a/ChangeLog	
@@ -9,6 +9,9 @@ 
 	Check range of `glyph_index'.
 	* src/cff/cffgload.h: Updated.
 
+	* src/sfnt/ttcmap.c (tt_face_build_cmaps): Handle invalid offset
+	correctly.
+
 2006-03-21  David Turner  <david@freetype.org>
 
 	* src/autofit/aflatin.c (af_latin_metrics_scale): Fix small bug
--- a/src/sfnt/ttcmap.c	
+++ a/src/sfnt/ttcmap.c	
@@ -2271,7 +2271,7 @@ 
       charmap.encoding    = FT_ENCODING_NONE;  /* will be filled later */
       offset              = TT_NEXT_ULONG( p );
 
-      if ( offset && table + offset + 2 <= limit )
+      if ( offset && offset <= face->cmap_size - 2 )
       {
         FT_Byte*                       cmap   = table + offset;
         volatile FT_UInt               format = TT_PEEK_USHORT( cmap );