diff --git a/dom/base/nsXMLHttpRequest.cpp b/dom/base/nsXMLHttpRequest.cpp
index 2912ff4fd62..cd39cd53396 100644
--- a/dom/base/nsXMLHttpRequest.cpp
+++ b/dom/base/nsXMLHttpRequest.cpp
@@ -678,13 +678,18 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
                                        &destBufferLen);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  if (!mResponseText.SetCapacity(mResponseText.Length() + destBufferLen, fallible)) {
+  uint32_t size = mResponseText.Length() + destBufferLen;
+  if (size < (uint32_t)destBufferLen) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+
+  if (!mResponseText.SetCapacity(size, fallible)) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   char16_t* destBuffer = mResponseText.BeginWriting() + mResponseText.Length();
 
-  int32_t totalChars = mResponseText.Length();
+  CheckedInt32 totalChars = mResponseText.Length();
 
   // This code here is basically a copy of a similar thing in
   // nsScanner::Append(const char* aBuffer, uint32_t aLen).
@@ -697,9 +702,11 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
   MOZ_ASSERT(NS_SUCCEEDED(rv));
 
   totalChars += destlen;
+  if (!totalChars.isValid()) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
 
-  mResponseText.SetLength(totalChars);
-
+  mResponseText.SetLength(totalChars.value());
   return NS_OK;
 }