diff --git a/ChangeLog b/ChangeLog
index 63dc3f355..ff4b71d85 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2010-06-27  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Fix memory leak.
+
+	* src/cff/cffgload.c (cff_operator_seac): Free charstrings even in
+	case of errors.
+
 2010-06-27  Werner Lemberg  <wl@gnu.org>
 
 	[cff] Protect against invalid `hintmask' and `cntrmask' operators.
diff --git a/src/cff/cffgload.c b/src/cff/cffgload.c
index 51efcb9a9..e77e2801d 100644
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@@ -811,10 +811,10 @@
                                              charstring_len );
       decoder->seac = FALSE;
 
+      cff_free_glyph_data( face, &charstring, charstring_len );
+
       if ( error )
         goto Exit;
-
-      cff_free_glyph_data( face, &charstring, charstring_len );
     }
 
     /* Save the left bearing, advance and glyph width of the base */
@@ -841,10 +841,10 @@
                                              charstring_len );
       decoder->seac = FALSE;
 
+      cff_free_glyph_data( face, &charstring, charstring_len );
+
       if ( error )
         goto Exit;
-
-      cff_free_glyph_data( face, &charstring, charstring_len );
     }
 
     /* Restore the left side bearing, advance and glyph width */