diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index 72b6c7ed1..4e679b861 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -9354,6 +9354,12 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in,
             padLen = encryptedContent[encryptedContentSz-1];
 
             /* copy plaintext to output */
+            if (padLen > encryptedContentSz ||
+                    (word32)(encryptedContentSz - padLen) > outputSz) {
+                XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                ret = BUFFER_E;
+                break;
+            }
             XMEMCPY(output, encryptedContent, encryptedContentSz - padLen);
 
             /* free memory, zero out keys */