diff --git a/ChangeLog b/ChangeLog
index ba6c185b6..616fdec22 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-07-19  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Sanitizer fix, second try.
+
+	* src/truetype/ttgxvar.c (ft_var_readpackedpoints): Fix boundary
+	tests and use only one slot more.
+
 2016-07-19  Werner Lemberg  <wl@gnu.org>
 
 	[truetype] Sanitizer fix.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 033b57f3b..080e2ddce 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -159,9 +159,9 @@
     }
 
     /* in the nested loops below we increase `i' twice; */
-    /* it is faster to simply allocate two more slots   */
+    /* it is faster to simply allocate one more slot    */
     /* than to add another test within the loop         */
-    if ( FT_NEW_ARRAY( points, n + 2 ) )
+    if ( FT_NEW_ARRAY( points, n + 1 ) )
       return NULL;
 
     *point_cnt = n;
@@ -182,7 +182,7 @@
         {
           first      += FT_GET_USHORT();
           points[i++] = first;
-          if ( i == n )
+          if ( i >= n )
             break;
         }
       }
@@ -195,7 +195,7 @@
         {
           first      += FT_GET_BYTE();
           points[i++] = first;
-          if ( i == n )
+          if ( i >= n )
             break;
         }
       }