diff --git a/content/html/content/src/Makefile.in b/content/html/content/src/Makefile.in
index 74e3978e223a..83d573c7ebdf 100644
--- a/content/html/content/src/Makefile.in
+++ b/content/html/content/src/Makefile.in
@@ -153,6 +153,7 @@ INCLUDES	+= \
 		-I$(srcdir)/../../../events/src \
 		-I$(srcdir)/../../../xbl/src \
 		-I$(srcdir)/../../../../layout/style \
+		-I$(srcdir)/../../../../layout/tables \
 		-I$(srcdir) \
 		$(NULL)
 
diff --git a/content/html/content/src/nsHTMLTableCellElement.cpp b/content/html/content/src/nsHTMLTableCellElement.cpp
index 4ae8ae09f3f1..d6570552f5af 100644
--- a/content/html/content/src/nsHTMLTableCellElement.cpp
+++ b/content/html/content/src/nsHTMLTableCellElement.cpp
@@ -45,6 +45,7 @@
 #include "nsPresContext.h"
 #include "nsRuleData.h"
 #include "nsIDocument.h"
+#include "celldata.h"
 
 class nsHTMLTableCellElement : public nsGenericHTMLElement,
                                public nsIDOMHTMLTableCellElement
@@ -261,9 +262,6 @@ static const nsAttrValue::EnumTable kCellScopeTable[] = {
   { 0 }
 };
 
-#define MAX_ROWSPAN 8190 // celldata.h can not handle more
-#define MAX_COLSPAN 1000 // limit as IE and opera do
-
 PRBool
 nsHTMLTableCellElement::ParseAttribute(PRInt32 aNamespaceID,
                                        nsIAtom* aAttribute,
diff --git a/layout/mathml/base/src/nsMathMLmtableFrame.cpp b/layout/mathml/base/src/nsMathMLmtableFrame.cpp
index 76810e3bfb48..76084b203621 100644
--- a/layout/mathml/base/src/nsMathMLmtableFrame.cpp
+++ b/layout/mathml/base/src/nsMathMLmtableFrame.cpp
@@ -51,6 +51,7 @@
 #include "nsTableOuterFrame.h"
 #include "nsTableFrame.h"
 #include "nsTableCellFrame.h"
+#include "celldata.h"
 
 #include "nsMathMLmtableFrame.h"
 
@@ -775,6 +776,7 @@ nsMathMLmtdFrame::GetRowSpan()
       rowspan = value.ToInteger(&error);
       if (error || rowspan < 0)
         rowspan = 1;
+      rowspan = PR_MIN(rowspan, MAX_ROWSPAN);
     }
   }
   return rowspan;
@@ -792,7 +794,7 @@ nsMathMLmtdFrame::GetColSpan()
     if (!value.IsEmpty()) {
       PRInt32 error;
       colspan = value.ToInteger(&error);
-      if (error || colspan < 0)
+      if (error || colspan < 0 || colspan > MAX_COLSPAN)
         colspan = 1;
     }
   }
diff --git a/layout/tables/celldata.h b/layout/tables/celldata.h
index 08c3b9da7518..44965e32c70c 100644
--- a/layout/tables/celldata.h
+++ b/layout/tables/celldata.h
@@ -44,6 +44,10 @@ class nsTableCellFrame;
 class nsCellMap;
 class BCCellData;
 
+
+#define MAX_ROWSPAN 8190 // the cellmap can not handle more
+#define MAX_COLSPAN 1000 // limit as IE and opera do
+
 /** 
   * Data stored by nsCellMap to rationalize rowspan and colspan cells.
   */
diff --git a/xpcom/glue/nsTArray.cpp b/xpcom/glue/nsTArray.cpp
index 5932dffac0f7..b5945266f002 100644
--- a/xpcom/glue/nsTArray.cpp
+++ b/xpcom/glue/nsTArray.cpp
@@ -65,7 +65,7 @@ nsTArray_base::EnsureCapacity(size_type capacity, size_type elemSize) {
   // doubling algorithm may not be able to allocate it.  Additionally we
   // couldn't fit in the Header::mCapacity member. Just bail out in cases
   // like that.  We don't want to be allocating 2 GB+ arrays anyway.
-  if (capacity * elemSize > size_type(-1)/2) {
+  if ((PRUint64)capacity * elemSize > size_type(-1)/2) {
     NS_ERROR("Attempting to allocate excessively large array");
     return PR_FALSE;
   }