diff --git a/src/internal.c b/src/internal.c
index 639cd1c1a..88100e4a0 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -21495,7 +21495,7 @@ exit_dpk:
             ato16(input + *inOutIdx, &len);
             *inOutIdx += OPAQUE16_LEN;
 
-            if ((*inOutIdx - begin) + len > size)
+            if ((len > size) || ((*inOutIdx - begin) + len > size))
                 return BUFFER_ERROR;
 
             if (PickHashSigAlgo(ssl, input + *inOutIdx, len) != 0 &&