diff --git a/layout/style/nsCSSParser.cpp b/layout/style/nsCSSParser.cpp
index b89c14294..2e77eae0d 100644
--- a/layout/style/nsCSSParser.cpp
+++ b/layout/style/nsCSSParser.cpp
@@ -1436,6 +1436,9 @@ protected:
   // All data from successfully parsed properties are placed into |mData|.
   nsCSSExpandedDataBlock mData;
 
+  // Value to make sure our resolved variable results stay within sane limits.
+  const uint32_t MAX_CSS_VAR_LENGTH = 10240;
+
 public:
   // Used from nsCSSParser constructors and destructors
   CSSParserImpl* mNextFree;
@@ -2612,6 +2615,12 @@ CSSParserImpl::ResolveValueWithVariableReferencesRec(
               // Invalid variable with no fallback.
               return false;
             }
+            // Make sure we are still using sane sizes for value and
+            // variableValue, and abort if OOB.
+            if (MOZ_UNLIKELY((value.Length() > MAX_CSS_VAR_LENGTH) ||
+                             (variableValue.Length() > MAX_CSS_VAR_LENGTH))) {
+              return false;
+            }
             // Valid variable with no fallback.
             AppendTokens(value, valueFirstToken, valueLastToken,
                          varFirstToken, varLastToken, variableValue);