diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index bb660cefd..d07c66d5e 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -3425,6 +3425,8 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz,
     GMULT(x, h);
 
     /* Copy the result into s. */
+    if (sSz > AES_BLOCK_SIZE)
+        sSz = AES_BLOCK_SIZE;
     XMEMCPY(s, x, sSz);
 }
 
@@ -3573,6 +3575,8 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz,
     GMULT(x, aes->M0);
 
     /* Copy the result into s. */
+    if (sSz > AES_BLOCK_SIZE)
+        sSz = AES_BLOCK_SIZE;
     XMEMCPY(s, x, sSz);
 }
 
@@ -3697,6 +3701,8 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz,
     #ifdef LITTLE_ENDIAN_ORDER
         ByteReverseWords64(x, x, AES_BLOCK_SIZE);
     #endif
+    if (sSz > AES_BLOCK_SIZE)
+        sSz = AES_BLOCK_SIZE;
     XMEMCPY(s, x, sSz);
 }
 
@@ -3844,6 +3850,8 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz,
     #ifdef LITTLE_ENDIAN_ORDER
         ByteReverseWords(x, x, AES_BLOCK_SIZE);
     #endif
+    if (sSz > AES_BLOCK_SIZE)
+        sSz = AES_BLOCK_SIZE;
     XMEMCPY(s, x, sSz);
 }
 
@@ -3914,6 +3922,8 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
 
     GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz);
     wc_AesEncrypt(aes, initialCounter, scratch);
+    if (authTagSz > AES_BLOCK_SIZE)
+        authTagSz = AES_BLOCK_SIZE;
     xorbuf(authTag, scratch, authTagSz);
 
     return 0;