diff --git a/src/lib_json/json_reader.cpp b/src/lib_json/json_reader.cpp
index f3a5c41..76e12f9 100644
--- a/src/lib_json/json_reader.cpp
+++ b/src/lib_json/json_reader.cpp
@@ -611,6 +611,11 @@ Reader::decodeDouble( Token &token )
    int count;
    int length = int(token.end_ - token.start_);
 
+   // Sanity check to avoid buffer overflow exploits.
+   if (length < 0) {
+      return addError( "Unable to parse token length", token );
+   }
+
    // Avoid using a string constant for the format control string given to
    // sscanf, as this can cause hard to debug crashes on OS X. See here for more
    // info:
diff --git a/src/lib_json/json_value.cpp b/src/lib_json/json_value.cpp
index c48455b..dd60a50 100644
--- a/src/lib_json/json_value.cpp
+++ b/src/lib_json/json_value.cpp
@@ -56,6 +56,12 @@ duplicateStringValue( const char *value,
 {
    if ( length == unknown )
       length = (unsigned int)strlen(value);
+
+   // Avoid an integer overflow in the call to malloc below by limiting length
+   // to a sane value.
+   if (length >= (unsigned)Value::maxInt)
+      length = Value::maxInt - 1;
+
    char *newString = static_cast<char *>( malloc( length + 1 ) );
    JSON_ASSERT_MESSAGE( newString != 0, "Failed to allocate string value buffer" );
    memcpy( newString, value, length );