diff --git a/ChangeLog b/ChangeLog
index 861eca955..d5697dae4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2016-12-22  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Protect against invalid `vsindex' and `blend' values.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=305
+
+	* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdVSINDEX,
+	cf2_cmdBLEND>: Implement it.
+
 2016-12-22  Werner Lemberg  <wl@gnu.org>
 
 	[ftfuzzer] Always use Adobe CFF engine.
diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
index 2bbbb33be..9c059a181 100644
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -659,7 +659,13 @@
           goto exit;
         }
 
-        font->vsindex = (FT_UInt)cf2_stack_popInt( opStack );
+        {
+          FT_Int  temp = cf2_stack_popInt( opStack );
+
+
+          if ( temp >= 0 )
+            font->vsindex = (FT_UInt)temp;
+        }
         break;
 
       case cf2_cmdBLEND:
@@ -687,7 +693,12 @@
           }
 
           /* do the blend */
-          numBlends = (FT_UInt)cf2_stack_popInt( opStack );
+          {
+            FT_Int  temp = cf2_stack_popInt( opStack );
+
+
+            numBlends = temp > 0 ? (FT_UInt)temp : 0;
+          }
           cf2_doBlend( &font->blend, opStack, numBlends );
 
           font->blend.usedBV = TRUE;
@@ -1225,7 +1236,7 @@
                     idx = cf2_stack_popInt( opStack );
 
                     if ( idx >= 0 && idx < CF2_STORAGE_SIZE )
-                    cf2_stack_pushFixed( opStack, storage[idx] );
+                      cf2_stack_pushFixed( opStack, storage[idx] );
                   }
                   continue; /* do not clear the stack */