diff --git a/chain/actors/actor_miner.go b/chain/actors/actor_miner.go
index 54076cac8..4e3e33096 100644
--- a/chain/actors/actor_miner.go
+++ b/chain/actors/actor_miner.go
@@ -24,6 +24,7 @@ import (
 )
 
 const MaxSectors = 1 << 48
+const RLEMax = 100e3
 
 type StorageMinerActor struct{}
 
@@ -576,6 +577,17 @@ func (sma StorageMinerActor) SubmitFallbackPoSt(act *types.Actor, vmctx types.VM
 		return nil, aerrors.HandleExternalError(lerr, "could not load proving set node")
 	}
 
+	{
+		c, nerr := self.FaultSet.Count()
+		if nerr != nil {
+			return nil, aerrors.Absorb(nerr, 6, "invalid bitfield")
+		}
+
+		if c > RLEMax {
+			return nil, aerrors.Newf(7, "too many items in bitfield: %d", c)
+		}
+	}
+
 	faults, nerr := self.FaultSet.AllMap()
 	if nerr != nil {
 		return nil, aerrors.Absorb(err, 5, "RLE+ invalid")
@@ -1147,6 +1159,16 @@ func onSuccessfulPoStV1(self *StorageMinerActorState, vmctx types.VMContext) aer
 		return aerrors.HandleExternalError(nerr, "failed to load proving set")
 	}
 
+	{
+		c, nerr := self.FaultSet.Count()
+		if nerr != nil {
+			return aerrors.Absorb(nerr, 2, "invalid bitfield")
+		}
+		if c > RLEMax {
+			return aerrors.Newf(3, "too many items in bitfield: %d", c)
+		}
+	}
+
 	faults, nerr := self.FaultSet.All()
 	if nerr != nil {
 		return aerrors.Absorb(nerr, 1, "invalid bitfield (fatal?)")