diff --git a/ChangeLog b/ChangeLog
index a93b43d84..374f771c7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2019-12-21  Dominik Röttsches  <drott@chromium.org>
+
+	Fix more UBSan warnings on adding offset to nullptr (#57432).
+
+	* src/truetype/ttinterp.c (Ins_LOOPCALL), src/psaux/psft.c
+	(cf2_initLocalRegionBuffer): Use `FT_OFFSET'.
+
 2019-12-16  Werner Lemberg  <wl@gnu.org>
 
 	[truetype] Fix UBSan warnings on adding offsets to nullptr.
diff --git a/src/psaux/psft.c b/src/psaux/psft.c
index 7c7ef2cbe..08dd33c84 100644
--- a/src/psaux/psft.c
+++ b/src/psaux/psft.c
@@ -823,7 +823,7 @@
       /* The CID driver stores subroutines with seed bytes.  This     */
       /* case is taken care of when decoder->subrs_len == 0.          */
       if ( decoder->locals_len )
-        buf->end = buf->start + decoder->locals_len[idx];
+        buf->end = FT_OFFSET( buf->start, decoder->locals_len[idx] );
       else
       {
         /* We are using subroutines from a CID font.  We must adjust */
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 369c7b5ff..dca11d739 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4062,7 +4062,7 @@
     /*                                                              */
     /* If this isn't true, we need to look up the function table.   */
 
-    def = exc->FDefs + F;
+    def = FT_OFFSET( exc->FDefs, F );
     if ( exc->maxFunc + 1 != exc->numFDefs || def->opc != F )
     {
       /* look up the FDefs table */
@@ -4070,7 +4070,7 @@
 
 
       def   = exc->FDefs;
-      limit = def + exc->numFDefs;
+      limit = FT_OFFSET( def, exc->numFDefs );
 
       while ( def < limit && def->opc != F )
         def++;