diff --git a/src/link/patch.c b/src/link/patch.c
index aeab74b2..7fa63417 100644
--- a/src/link/patch.c
+++ b/src/link/patch.c
@@ -82,10 +82,20 @@ static inline void clearRPNStack(void)
 static void pushRPN(int32_t value)
 {
 	if (stack.size >= stack.capacity) {
-		stack.capacity *= 2;
+		static const size_t increase_factor = 2;
+
+		if (stack.capacity > SIZE_MAX / increase_factor)
+			errx(1, "Overflow in RPN stack resize");
+
+		stack.capacity *= increase_factor;
 		stack.buf =
 			realloc(stack.buf, sizeof(*stack.buf) * stack.capacity);
-		if (!stack.buf)
+		/*
+		 * Static analysis tools complain that the capacity might become
+		 * zero due to overflow, but fail to realize that it's caught by
+		 * the overflow check above. Hence the stringent check below.
+		 */
+		if (!stack.buf || !stack.capacity)
 			err(1, "Failed to resize RPN stack");
 	}