diff --git a/ChangeLog b/ChangeLog
index 4f0809563..75deee388 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2012-02-29  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Fix Savannah bug #35640.
+
+	* src/truetype/ttinterp.c (SkipCode, TT_RunIns): Fix boundary check
+	for NPUSHB and NPUSHW instructions.
+
 2012-02-29  Werner Lemberg  <wl@gnu.org>
 
 	[truetype] Fix Savannah bug #35601.
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index d0733b060..7f33afa4f 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4477,7 +4477,7 @@
       CUR.length = opcode_length[CUR.opcode];
       if ( CUR.length < 0 )
       {
-        if ( CUR.IP + 1 > CUR.codeSize )
+        if ( CUR.IP + 1 >= CUR.codeSize )
           goto Fail_Overflow;
         CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1];
       }
@@ -7544,7 +7544,7 @@
 
       if ( ( CUR.length = opcode_length[CUR.opcode] ) < 0 )
       {
-        if ( CUR.IP + 1 > CUR.codeSize )
+        if ( CUR.IP + 1 >= CUR.codeSize )
           goto LErrorCodeOverflow_;
 
         CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1];