diff --git a/lib/dns/journal.c b/lib/dns/journal.c
index 567692e7a4..48fbb433aa 100644
--- a/lib/dns/journal.c
+++ b/lib/dns/journal.c
@@ -2043,6 +2043,14 @@ read_one_rr(dns_journal_t *j) {
 	ttl = isc_buffer_getuint32(&j->it.source);
 	rdlen = isc_buffer_getuint16(&j->it.source);
 
+	if (rdlen > DNS_RDATA_MAXLENGTH) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: journal corrupt: impossible rdlen "
+			      "(%u bytes)",
+			      j->filename, rdlen);
+		FAIL(ISC_R_FAILURE);
+	}
+
 	/*
 	 * Parse the rdata.
 	 */
@@ -2613,6 +2621,14 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, uint32_t serial,
 			CHECK(result);
 
 			size = xhdr.size;
+			if (size > len) {
+				isc_log_write(JOURNAL_COMMON_LOGARGS,
+					      ISC_LOG_ERROR,
+					      "%s: journal file corrupt, "
+					      "transaction too large",
+					      j1->filename);
+				CHECK(ISC_R_FAILURE);
+			}
 			buf = isc_mem_get(mctx, size);
 			result = journal_read(j1, buf, size);
 
@@ -2637,6 +2653,15 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, uint32_t serial,
 				/* Check again */
 				isc_mem_put(mctx, buf, size);
 				size = xhdr.size;
+				if (size > len) {
+					isc_log_write(
+						JOURNAL_COMMON_LOGARGS,
+						ISC_LOG_ERROR,
+						"%s: journal file corrupt, "
+						"transaction too large",
+						j1->filename);
+					CHECK(ISC_R_FAILURE);
+				}
 				buf = isc_mem_get(mctx, size);
 				CHECK(journal_read(j1, buf, size));