diff --git a/ChangeLog b/ChangeLog
index 6442e8754..8d4e31676 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2017-06-06  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Integer overflow.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2109
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2110
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2122
+
+	* src/cff/cf2blues.c (cf2_blues_init): Use OVERFLOW_SUB_INT32.
+
+	* src/cff/cf2hints.c (cf2_hintmap_map): Synchronize if-else
+	branches.
+
 2017-06-05  Werner Lemberg  <wl@gnu.org>
 
 	[cff] Integer overflow.
diff --git a/src/cff/cf2blues.c b/src/cff/cf2blues.c
index a94254d82..262be8322 100644
--- a/src/cff/cf2blues.c
+++ b/src/cff/cf2blues.c
@@ -194,8 +194,9 @@
       blues->zone[blues->count].csTopEdge =
         cf2_blueToFixed( blueValues[i + 1] );
 
-      zoneHeight = blues->zone[blues->count].csTopEdge -
-                   blues->zone[blues->count].csBottomEdge;
+      zoneHeight = OVERFLOW_SUB_INT32(
+                     blues->zone[blues->count].csTopEdge,
+                     blues->zone[blues->count].csBottomEdge );
 
       if ( zoneHeight < 0 )
       {
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index d7938c9c6..e326c1b66 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -332,7 +332,8 @@
       {
         /* special case for points below first edge: use uniform scale */
         return OVERFLOW_ADD_INT32(
-                 FT_MulFix( csCoord - hintmap->edge[0].csCoord,
+                 FT_MulFix( OVERFLOW_SUB_INT32( csCoord,
+                                                hintmap->edge[0].csCoord ),
                             hintmap->scale ),
                  hintmap->edge[0].dsCoord );
       }