diff --git a/mojo/core/data_pipe_consumer_dispatcher.cc b/mojo/core/data_pipe_consumer_dispatcher.cc
index 68e2f7e24d64ee..89fbcde5e7e6ed 100644
--- a/mojo/core/data_pipe_consumer_dispatcher.cc
+++ b/mojo/core/data_pipe_consumer_dispatcher.cc
@@ -371,7 +371,9 @@ DataPipeConsumerDispatcher::Deserialize(const void* data,
 
   const SerializedState* state = static_cast<const SerializedState*>(data);
   if (!state->options.capacity_num_bytes || !state->options.element_num_bytes ||
-      state->options.capacity_num_bytes < state->options.element_num_bytes) {
+      state->options.capacity_num_bytes < state->options.element_num_bytes ||
+      state->read_offset >= state->options.capacity_num_bytes ||
+      state->bytes_available > state->options.capacity_num_bytes) {
     return nullptr;
   }
 
@@ -408,6 +410,10 @@ DataPipeConsumerDispatcher::Deserialize(const void* data,
     dispatcher->peer_closed_ = state->flags & kFlagPeerClosed;
     if (!dispatcher->InitializeNoLock())
       return nullptr;
+    if (state->options.capacity_num_bytes >
+        dispatcher->ring_buffer_mapping_.mapped_size()) {
+      return nullptr;
+    }
     dispatcher->UpdateSignalsStateNoLock();
   }
 
diff --git a/mojo/core/data_pipe_producer_dispatcher.cc b/mojo/core/data_pipe_producer_dispatcher.cc
index e6256f8f0d9a3c..201b9762bde5ab 100644
--- a/mojo/core/data_pipe_producer_dispatcher.cc
+++ b/mojo/core/data_pipe_producer_dispatcher.cc
@@ -332,7 +332,9 @@ DataPipeProducerDispatcher::Deserialize(const void* data,
 
   const SerializedState* state = static_cast<const SerializedState*>(data);
   if (!state->options.capacity_num_bytes || !state->options.element_num_bytes ||
-      state->options.capacity_num_bytes < state->options.element_num_bytes) {
+      state->options.capacity_num_bytes < state->options.element_num_bytes ||
+      state->write_offset >= state->options.capacity_num_bytes ||
+      state->available_capacity > state->options.capacity_num_bytes) {
     return nullptr;
   }
 
@@ -368,6 +370,10 @@ DataPipeProducerDispatcher::Deserialize(const void* data,
     dispatcher->peer_closed_ = state->flags & kFlagPeerClosed;
     if (!dispatcher->InitializeNoLock())
       return nullptr;
+    if (state->options.capacity_num_bytes >
+        dispatcher->ring_buffer_mapping_.mapped_size()) {
+      return nullptr;
+    }
     dispatcher->UpdateSignalsStateNoLock();
   }