diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java
index b92c2d41b2..a9f54d32c9 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java
@@ -26,6 +26,7 @@ import java.util.NoSuchElementException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.poi.hwpf.model.types.LFOAbstractType;
+import org.apache.poi.util.IOUtils;
 import org.apache.poi.util.LittleEndian;
 import org.apache.poi.util.LittleEndianConsts;
 
@@ -37,10 +38,11 @@ import static org.apache.logging.log4j.util.Unbox.box;
  * Documentation quoted from Page 424 of 621. [MS-DOC] -- v20110315 Word (.doc)
  * Binary File Format
  */
-public class PlfLfo
-{
+public class PlfLfo {
     private static final Logger LOGGER = LogManager.getLogger(PlfLfo.class);
 
+    private static final int MAX_NUMBER_OF_LFO = 100_000;
+
     /**
      * An unsigned integer that specifies the count of elements in both the
      * rgLfo and rgLfoData arrays.
@@ -76,6 +78,8 @@ public class PlfLfo
                             + Integer.MAX_VALUE + " elements" );
         }
 
+        IOUtils.safelyAllocateCheck(lfoMacLong, MAX_NUMBER_OF_LFO);
+
         this._lfoMac = (int) lfoMacLong;
         _rgLfo = new LFO[_lfoMac];
         _rgLfoData = new LFOData[_lfoMac];
diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
index fcae380bbf..0df1b84f6b 100644
--- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
@@ -54,7 +54,9 @@ public class TestWordToConverterSuite
         "password_tika_binaryrc4.doc",
         "password_password_cryptoapi.doc",
         // WORD 2.0 file
-        "word2.doc"
+        "word2.doc",
+        // Corrupt file
+        "Fuzzed.doc"
     );
 
     public static Stream<Arguments> files() {
diff --git a/test-data/document/Fuzzed.doc b/test-data/document/Fuzzed.doc
new file mode 100644
index 0000000000..c8201d8859
Binary files /dev/null and b/test-data/document/Fuzzed.doc differ
diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index 4a3e253615..bd26bf16d1 100644
Binary files a/test-data/spreadsheet/stress.xls and b/test-data/spreadsheet/stress.xls differ