diff --git a/fs/hpfs/anode.c b/fs/hpfs/anode.c
index a4f5321eafae..7324ec22941a 100644
--- a/fs/hpfs/anode.c
+++ b/fs/hpfs/anode.c
@@ -28,6 +28,18 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
 				brelse(bh);
 				if (!(anode = hpfs_map_anode(s, a, &bh))) return -1;
 				btree = GET_BTREE_PTR(&anode->btree);
+				if ((void *)btree < (void *)bh->b_data ||
+				    (void *)btree + sizeof(*btree) > (void *)bh->b_data + bh->b_size) {
+					hpfs_error(s, "btree pointer out of bounds");
+					brelse(bh);
+					return -1;
+				}
+
+				if (btree->n_used_nodes > 60) {
+					hpfs_error(s, "n_used_nodes=%u is suspiciously large", btree->n_used_nodes);
+					brelse(bh);
+					return -1;
+				}
 				goto go_down;
 			}
 		hpfs_error(s, "sector %08x not found in internal anode %08x", sec, a);