diff --git a/src/ssl_load.c b/src/ssl_load.c
index 1562da6fe5..e6a1dc4889 100644
--- a/src/ssl_load.c
+++ b/src/ssl_load.c
@@ -160,6 +160,10 @@ static int DataToDerBuffer(const unsigned char* buff, word32 len, int format,
         else {
             ret = ASN_PARSE_E;
         }
+
+        if (info->consumed > (int)len) {
+            ret = ASN_PARSE_E;
+        }
         if (ret == 0) {
             ret = AllocCopyDer(der, buff, (word32)info->consumed, type, heap);
         }