diff --git a/ChangeLog b/ChangeLog
index f58c3c7..f1fed5e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -245,6 +245,9 @@ digit was given after the decimal point, or if more than two digits were given.
 It now works with one or two digits, and gives a compile time error if more are 
 given.
 
+71. In pcre2_substitute() there was the possibility of reading one code unit 
+beyond the end of the replacement string.
+
 
 Version 10.20 30-June-2015
 --------------------------
diff --git a/src/pcre2_substitute.c b/src/pcre2_substitute.c
index f5b4473..1c60381 100644
--- a/src/pcre2_substitute.c
+++ b/src/pcre2_substitute.c
@@ -427,8 +427,8 @@ do
           {
           name[n++] = next;
           if (n > 32) goto BAD;
-          if (ptr >= repend) break;
-          next = *(++ptr);
+          if (++ptr >= repend) break;
+          next = *ptr;
           }
         if (n == 0) goto BAD;
         name[n] = 0;