diff --git a/ChangeLog b/ChangeLog
index fc1ae90a6..ba6c185b6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-07-19  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Sanitizer fix.
+
+	* src/truetype/ttgxvar.c (ft_var_readpackedpoints): Increase array
+	to fix nested loops.
+
 2016-07-18  Werner Lemberg  <wl@gnu.org>
 
 	[truetype] Make GETDATA work only for GX fonts.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 7c85d6262..37157962e 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -158,13 +158,16 @@
       return NULL;
     }
 
-    if ( FT_NEW_ARRAY( points, n ) )
+    /* in the nested loops below we increase `i' twice; */
+    /* it is faster to simply allocate one more slot    */
+    /* than to add another test within the loop         */
+    if ( FT_NEW_ARRAY( points, n + 1 ) )
       return NULL;
 
     *point_cnt = n;
 
     first = 0;
-    i = 0;
+    i     = 0;
     while ( i < n )
     {
       runcnt = FT_GET_BYTE();