diff --git a/ChangeLog b/ChangeLog
index 767309f7d..235e4093e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2017-07-07  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Integer overflow.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2517
+
+	* src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32.
+
 2017-07-05  Werner Lemberg  <wl@gnu.org>
 
 	* src/sfnt/ttcmap.c (tt_cmap_unicode_class_rec): Fix warning.
diff --git a/src/cff/cf2blues.c b/src/cff/cf2blues.c
index f9f5bbb8f..c491f2f9e 100644
--- a/src/cff/cf2blues.c
+++ b/src/cff/cf2blues.c
@@ -524,17 +524,18 @@
 
       if ( !blues->zone[i].bottomZone && cf2_hint_isTop( topHintEdge ) )
       {
-        if ( ( SUB_INT32( blues->zone[i].csBottomEdge, csFuzz ) ) <=
-               topHintEdge->csCoord                                  &&
+        if ( SUB_INT32( blues->zone[i].csBottomEdge, csFuzz ) <=
+               topHintEdge->csCoord                              &&
              topHintEdge->csCoord <=
-               ADD_INT32( blues->zone[i].csTopEdge, csFuzz )         )
+               ADD_INT32( blues->zone[i].csTopEdge, csFuzz )     )
         {
           /* top edge captured by top zone */
 
           if ( blues->suppressOvershoot )
             dsNew = blues->zone[i].dsFlatEdge;
 
-          else if ( ( topHintEdge->csCoord - blues->zone[i].csBottomEdge ) >=
+          else if ( SUB_INT32( topHintEdge->csCoord,
+                               blues->zone[i].csBottomEdge ) >=
                       blues->blueShift )
           {
             /* guarantee minimum of 1 pixel overshoot */