diff --git a/core/logic/CellArray.h b/core/logic/CellArray.h
index 9e6795da..e74cfbd5 100644
--- a/core/logic/CellArray.h
+++ b/core/logic/CellArray.h
@@ -35,6 +35,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <ICellArray.h>
+#include <amtl/am-bits.h>
 
 extern HandleType_t htCellArray;
 
@@ -214,30 +215,34 @@ private:
 		{
 			return true;
 		}
+		size_t newAllocSize = m_AllocSize;
 		/* Set a base allocation size of 8 items */
-		if (!m_AllocSize)
+		if (!newAllocSize)
 		{
-			m_AllocSize = 8;
+			newAllocSize = 8;
+		}
+		if (!ke::IsUintPtrAddSafe(m_Size, count))
+		{
+			return false;
 		}
 		/* If it's not enough, keep doubling */
-		while (m_Size + count > m_AllocSize)
+		while (m_Size + count > newAllocSize)
 		{
-			m_AllocSize *= 2;
-		}
-		/* finally, allocate the new block */
-		if (m_Data)
-		{
-			cell_t *data = static_cast<cell_t*>(realloc(m_Data, sizeof(cell_t) * m_BlockSize * m_AllocSize));
-			if (!data)  // allocation failure
+			if (!ke::IsUintPtrMultiplySafe(newAllocSize, 2))
 			{
 				return false;
 			}
-
-			m_Data = data;
-		} else {
-			m_Data = static_cast<cell_t*>(malloc(sizeof(cell_t) * m_BlockSize * m_AllocSize));
+			newAllocSize *= 2;
 		}
-		return (m_Data != nullptr);
+		/* finally, allocate the new block */
+		cell_t *data = static_cast<cell_t*>(realloc(m_Data, sizeof(cell_t) * m_BlockSize * newAllocSize));
+		/* Update state if allocation was successful */
+		if (data)
+		{
+			m_AllocSize = newAllocSize;
+			m_Data = data;
+		}
+		return (data != nullptr);
 	}
 private:
 	cell_t *m_Data;