diff --git a/ChangeLog b/ChangeLog
index 3c95165f8..f40f4db38 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2017-06-22  Werner Lemberg  <wl@gnu.org>
+
+	[cff, truetype] Integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2323
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2328
+
+	* src/cff/cf2blues.c (cf2_blues_capture): Use ADD_INT32 and
+	SUB_INT32.
+
+	* src/truetype/ttinterp.c (Ins_SDPVTL): Use SUB_LONG and NEG_LONG.
+
 2017-06-21  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	[sfnt] Synthesize a Unicode charmap if one is missing.
diff --git a/src/cff/cf2blues.c b/src/cff/cf2blues.c
index f5b44b21c..f9f5bbb8f 100644
--- a/src/cff/cf2blues.c
+++ b/src/cff/cf2blues.c
@@ -515,7 +515,7 @@
             dsNew = cf2_fixedRound( bottomHintEdge->dsCoord );
           }
 
-          dsMove   = dsNew - bottomHintEdge->dsCoord;
+          dsMove   = SUB_INT32( dsNew, bottomHintEdge->dsCoord );
           captured = TRUE;
 
           break;
@@ -549,7 +549,7 @@
             dsNew = cf2_fixedRound( topHintEdge->dsCoord );
           }
 
-          dsMove   = dsNew - topHintEdge->dsCoord;
+          dsMove   = SUB_INT32( dsNew, topHintEdge->dsCoord );
           captured = TRUE;
 
           break;
@@ -562,13 +562,14 @@
       /* move both edges and flag them `locked' */
       if ( cf2_hint_isValid( bottomHintEdge ) )
       {
-        bottomHintEdge->dsCoord += dsMove;
+        bottomHintEdge->dsCoord = ADD_INT32( bottomHintEdge->dsCoord,
+                                             dsMove );
         cf2_hint_lock( bottomHintEdge );
       }
 
       if ( cf2_hint_isValid( topHintEdge ) )
       {
-        topHintEdge->dsCoord += dsMove;
+        topHintEdge->dsCoord = ADD_INT32( topHintEdge->dsCoord, dsMove );
         cf2_hint_lock( topHintEdge );
       }
     }
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index c6605bb92..a032923ed 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4927,12 +4927,12 @@
     }
 
     {
-      FT_Vector* v1 = exc->zp1.org + p2;
-      FT_Vector* v2 = exc->zp2.org + p1;
+      FT_Vector*  v1 = exc->zp1.org + p2;
+      FT_Vector*  v2 = exc->zp2.org + p1;
 
 
-      A = v1->x - v2->x;
-      B = v1->y - v2->y;
+      A = SUB_LONG( v1->x, v2->x );
+      B = SUB_LONG( v1->y, v2->y );
 
       /* If v1 == v2, SDPvTL behaves the same as */
       /* SVTCA[X], respectively.                 */
@@ -4948,9 +4948,9 @@
 
     if ( ( opcode & 1 ) != 0 )
     {
-      C =  B;   /* counter clockwise rotation */
-      B =  A;
-      A = -C;
+      C = B;   /* counter clockwise rotation */
+      B = A;
+      A = NEG_LONG( C );
     }
 
     Normalize( A, B, &exc->GS.dualVector );
@@ -4960,8 +4960,8 @@
       FT_Vector*  v2 = exc->zp2.cur + p1;
 
 
-      A = v1->x - v2->x;
-      B = v1->y - v2->y;
+      A = SUB_LONG( v1->x, v2->x );
+      B = SUB_LONG( v1->y, v2->y );
 
       if ( A == 0 && B == 0 )
       {
@@ -4972,9 +4972,9 @@
 
     if ( ( opcode & 1 ) != 0 )
     {
-      C =  B;   /* counter clockwise rotation */
-      B =  A;
-      A = -C;
+      C = B;   /* counter clockwise rotation */
+      B = A;
+      A = NEG_LONG( C );
     }
 
     Normalize( A, B, &exc->GS.projVector );