diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c
index bcfd1005dfe..c14fe84de36 100644
--- a/wolfcrypt/src/sha.c
+++ b/wolfcrypt/src/sha.c
@@ -719,6 +719,14 @@ int wc_ShaFinal(wc_Sha* sha, byte* hash)
         return BAD_FUNC_ARG;
     }
 
+#ifndef WC_NO_HARDEN
+    /* We'll add a 0x80 byte at the end,
+    ** so make sure we have appropriate buffer length. */
+    if (sha->buffLen > WC_SHA_BLOCK_SIZE - 1) {
+        return BAD_FUNC_ARG;
+    }
+#endif
+
     local = (byte*)sha->buffer;
 
 #ifdef WOLF_CRYPTO_CB
diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c
index 8996f4dcf84..c4c2bd037ee 100644
--- a/wolfcrypt/src/sha256.c
+++ b/wolfcrypt/src/sha256.c
@@ -1243,6 +1243,14 @@ static int InitSha256(wc_Sha256* sha256)
             return BAD_FUNC_ARG;
         }
 
+#ifndef WC_NO_HARDEN
+        /* We'll add a 0x80 byte at the end,
+        ** so make sure we have appropriate buffer length. */
+        if (sha256->buffLen > WC_SHA256_BLOCK_SIZE - 1) {
+            return BAD_FUNC_ARG;
+        }
+#endif
+
         local = (byte*)sha256->buffer;
         local[sha256->buffLen++] = 0x80; /* add 1 */
 
diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c
index b62fbc1bb7e..44334add0ba 100644
--- a/wolfcrypt/src/sha512.c
+++ b/wolfcrypt/src/sha512.c
@@ -966,6 +966,14 @@ static WC_INLINE int Sha512Final(wc_Sha512* sha512)
         return BAD_FUNC_ARG;
     }
 
+#ifndef WC_NO_HARDEN
+    /* We'll add a 0x80 byte at the end,
+    ** so make sure we have appropriate buffer length. */
+    if (sha512->buffLen > WC_SHA512_BLOCK_SIZE - 1) {
+        return BAD_FUNC_ARG;
+    }
+#endif
+
     local = (byte*)sha512->buffer;
 
     local[sha512->buffLen++] = 0x80;  /* add 1 */