diff --git a/src/util.c b/src/util.c
index ce000e6498a09103010105f2ffca5931cef25b7e..5da9db523dbeb2c76b663513903d66c83c8adaf1 100644
--- a/src/util.c
+++ b/src/util.c
@@ -186,8 +186,8 @@ static void freedir_hlnk(struct dir *d) {
           if(pt==par)
             i=0;
     if(i) {
-      par->size -= d->size;
-      par->asize -= d->asize;
+      par->size = adds64(par->size, -d->size);
+      par->asize = adds64(par->size, -d->asize);
     }
   }
 
diff --git a/src/util.h b/src/util.h
index 5c638766f1c4d7306f96530221d7d66dec0ecb58..933bf97acc2b00fa0ac2b7eb8fcbfe221c2eb005 100644
--- a/src/util.h
+++ b/src/util.h
@@ -81,11 +81,14 @@ char *getpath(struct dir *);
 /* returns the root element of the given dir struct */
 struct dir *getroot(struct dir *);
 
-/* Add two positive signed 64-bit integers. Returns INT64_MAX if the result
- * would overflow.
+/* Add two signed 64-bit integers. Returns INT64_MAX if the result would
+ * overflow, or 0 if it would be negative. At least one of the integers must be
+ * positive.
  * I use uint64_t's to detect the overflow, as (a + b < 0) relies on undefined
  * behaviour, and (INT64_MAX - b >= a) didn't work for some reason. */
-#define adds64(a, b) ((uint64_t)(a) + (uint64_t)(b) > (uint64_t)INT64_MAX ? INT64_MAX : (a)+(b))
+#define adds64(a, b) ((a) > 0 && (b) > 0\
+    ? ((uint64_t)(a) + (uint64_t)(b) > (uint64_t)INT64_MAX ? INT64_MAX : (a)+(b))\
+    : (a)+(b) < 0 ? 0 : (a)+(b))
 
 /* Adds a value to the size, asize and items fields of *d and its parents */
 void addparentstats(struct dir *, int64_t, int64_t, int);