diff --git a/src/backend/utils/adt/multirangetypes.c b/src/backend/utils/adt/multirangetypes.c
index 9548989d782..c62a5e755ea 100644
--- a/src/backend/utils/adt/multirangetypes.c
+++ b/src/backend/utils/adt/multirangetypes.c
@@ -340,7 +340,7 @@ multirange_recv(PG_FUNCTION_ARGS)
 	Oid			mltrngtypoid = PG_GETARG_OID(1);
 	int32		typmod = PG_GETARG_INT32(2);
 	MultirangeIOData *cache;
-	uint32		range_count;
+	int32		range_count;
 	RangeType **ranges;
 	MultirangeType *ret;
 	StringInfoData tmpbuf;
@@ -348,6 +348,7 @@ multirange_recv(PG_FUNCTION_ARGS)
 	cache = get_multirange_io_data(fcinfo, mltrngtypoid, IOFunc_receive);
 
 	range_count = pq_getmsgint(buf, 4);
+	/* palloc_array will enforce a more-or-less-sane range_count value */
 	ranges = palloc_array(RangeType *, range_count);
 
 	initStringInfo(&tmpbuf);
diff --git a/src/common/blkreftable.c b/src/common/blkreftable.c
index 37a9d14b00e..2bb91e39128 100644
--- a/src/common/blkreftable.c
+++ b/src/common/blkreftable.c
@@ -657,6 +657,20 @@ BlockRefTableReaderNextRelation(BlockRefTableReader *reader,
 		return false;
 	}
 
+	/*
+	 * Sanity-check the nchunks value.  In the backend, palloc_array would
+	 * enforce this anyway (with a more generic error message); but in
+	 * frontend it would not, potentially allowing BlockRefTableRead's length
+	 * parameter to overflow.
+	 */
+	if (sentry.nchunks > MaxAllocSize / sizeof(uint16))
+	{
+		reader->error_callback(reader->error_callback_arg,
+							   "file \"%s\" has oversized chunk size array",
+							   reader->error_filename);
+		return false;
+	}
+
 	/* Read chunk size array. */
 	if (reader->chunk_size != NULL)
 		pfree(reader->chunk_size);