diff --git a/lib/asn1/der_put.c b/lib/asn1/der_put.c
index 122dbf7cc..b470e69d2 100644
--- a/lib/asn1/der_put.c
+++ b/lib/asn1/der_put.c
@@ -471,6 +471,8 @@ der_replace_tag(const unsigned char *p, size_t len,
     e = der_get_length(p, len, &payload_len, &len_len);
     if (e)
         return e;
+    if (payload_len > len)
+        return ASN1_OVERFLOW;
     /*
      * `p' now points at the payload; `*out' + the length of the tag points at
      * where we should copy the DER length and the payload.