diff --git a/app/xcf/xcf-read.c b/app/xcf/xcf-read.c
index 9d87f40e85..4e4ab3a9ce 100644
--- a/app/xcf/xcf-read.c
+++ b/app/xcf/xcf-read.c
@@ -27,6 +27,7 @@
 
 #include "gimp-intl.h"
 
+#define MAX_XCF_STRING_LEN (16 * (1L << 20)) /* 16 MB */
 
 guint
 xcf_read_int32 (FILE    *fp,
@@ -94,7 +95,13 @@ xcf_read_string (FILE   *fp,
 
       total += xcf_read_int32 (fp, &tmp, 1);
 
-      if (tmp > 0)
+      if (tmp > MAX_XCF_STRING_LEN)
+        {
+          g_warning ("Maximum string length (%ld bytes) exceeded."
+                     " Possibly corrupt XCF file.", MAX_XCF_STRING_LEN);
+          data[i] = NULL;
+        }
+      else if (tmp > 0)
         {
           gchar *str;