diff --git a/src/music/midifile.cpp b/src/music/midifile.cpp
index e237f3b0cf..7dc09b6e01 100644
--- a/src/music/midifile.cpp
+++ b/src/music/midifile.cpp
@@ -203,6 +203,9 @@ static bool ReadTrackChunk(FileHandle &file, MidiFile &target)
 	}
 	chunk_length = FROM_BE32(chunk_length);
 
+	/* Limit chunk size to 1 MiB. */
+	if (chunk_length > 1024 * 1024) return false;
+
 	ByteBuffer chunk(file, chunk_length);
 	if (!chunk.IsValid()) {
 		return false;
diff --git a/src/newgrf.cpp b/src/newgrf.cpp
index 3d528ac532..36356bc666 100644
--- a/src/newgrf.cpp
+++ b/src/newgrf.cpp
@@ -9957,6 +9957,13 @@ static void LoadNewGRFFileFromFile(GRFConfig &config, GrfLoadingStage stage, Spr
 
 		if (type == 0xFF) {
 			if (_cur.skip_sprites == 0) {
+				/* Limit the special sprites to 1 MiB. */
+				if (num > 1024 * 1024) {
+					GrfMsg(0, "LoadNewGRFFile: Unexpectedly large sprite, disabling");
+					DisableGrf(STR_NEWGRF_ERROR_UNEXPECTED_SPRITE);
+					break;
+				}
+
 				DecodeSpecialSprite(buf.Allocate(num), num, stage);
 
 				/* Stop all processing if we are to skip the remaining sprites */