diff --git a/js/public/UbiNodeShortestPaths.h b/js/public/UbiNodeShortestPaths.h
index 35745ae9f935..c5bd84d4e47c 100644
--- a/js/public/UbiNodeShortestPaths.h
+++ b/js/public/UbiNodeShortestPaths.h
@@ -7,6 +7,7 @@
 #ifndef js_UbiNodeShortestPaths_h
 #define js_UbiNodeShortestPaths_h
 
+#include "mozilla/CheckedInt.h"
 #include "mozilla/Maybe.h"
 
 #include <utility>
@@ -246,6 +247,12 @@ struct JS_PUBLIC_API ShortestPaths {
     MOZ_ASSERT(targets.count() > 0);
     MOZ_ASSERT(maxNumPaths > 0);
 
+    mozilla::CheckedInt<uint32_t> max = maxNumPaths;
+    max *= targets.count();
+    if (!max.isValid()) {
+      return mozilla::Nothing();
+    }
+
     ShortestPaths paths(maxNumPaths, root, std::move(targets));
 
     Handler handler(paths);
diff --git a/js/src/jit-test/tests/heap-analysis/shortestPaths.js b/js/src/jit-test/tests/heap-analysis/shortestPaths.js
index 7e656414fe2a..f18e2dc8366c 100644
--- a/js/src/jit-test/tests/heap-analysis/shortestPaths.js
+++ b/js/src/jit-test/tests/heap-analysis/shortestPaths.js
@@ -79,6 +79,12 @@ assertEq(e, "TypeError: 100 is not an array object");
 try { paths = shortestPaths([f], {start: 200}); } catch (exc) { e = ""+exc; };
 assertEq(e, "TypeError: 200 is not a GC thing");
 
+try { paths = shortestPaths([f, {}, {}, {}], { maxNumPaths: 0x40000000 }); } catch (exc) { e = "" + exc; };
+assertEq(e, "out of memory");
+
+try { paths = shortestPaths([f], { maxNumPaths: -1 }); } catch (exc) { e = "" + exc; };
+assertEq(e, "TypeError: -1 is not greater than 0");
+
 // Bug 1799824.
 let arr = [{}];
 let objWithGetter = {get start() { arr.length = 0; return {}; }};