diff --git a/ChangeLog b/ChangeLog
index e6441ffeb..ef882374a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2017-06-11  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2200
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2210
+
+	* src/cff/cf2hints.c (cf2_hintmap_insertHint): Use SUB_INT32 and
+	ADD_INT32.
+
+	* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdVMOVETO>: Use
+	ADD_INT32.
+
 2017-06-10  Werner Lemberg  <wl@gnu.org>
 
 	[truetype] Fix TT_Set_Var_Design.
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index 9643bd470..0951e1e7a 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -651,8 +651,8 @@
                                 hintmap->scale );
 
 
-        firstHintEdge->dsCoord  = midpoint - halfWidth;
-        secondHintEdge->dsCoord = midpoint + halfWidth;
+        firstHintEdge->dsCoord  = SUB_INT32( midpoint, halfWidth );
+        secondHintEdge->dsCoord = ADD_INT32( midpoint, halfWidth );
       }
       else
         firstHintEdge->dsCoord = cf2_hintmap_map( hintmap->initialHintMap,
@@ -721,7 +721,7 @@
 
       /* insert first edge */
       hintmap->edge[indexInsert] = *firstHintEdge;         /* copy struct */
-      hintmap->count += 1;
+      hintmap->count            += 1;
 
       if ( isPair )
       {
diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
index a43d33ecd..a81628074 100644
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -768,7 +768,8 @@
         FT_TRACE4(( " vmoveto\n" ));
 
         if ( cf2_stack_count( opStack ) > 1 && !haveWidth )
-          *width = cf2_stack_getReal( opStack, 0 ) + nominalWidthX;
+          *width = ADD_INT32( cf2_stack_getReal( opStack, 0 ),
+                              nominalWidthX );
 
         /* width is defined or default after this */
         haveWidth = TRUE;