diff --git a/firmware/lib/vboot_common.c b/firmware/lib/vboot_common.c
index 0f03612349..be5a34de96 100644
--- a/firmware/lib/vboot_common.c
+++ b/firmware/lib/vboot_common.c
@@ -195,11 +195,16 @@ int KeyBlockVerify(const VbKeyBlockHeader* block, uint64_t size,
       VBDEBUG(("Invalid public key\n"));
       return VBOOT_PUBLIC_KEY_INVALID;
     }
+
+    /* Make sure advertised signature data sizes are sane. */
+    if (block->key_block_size < sig->data_size) {
+      VBDEBUG(("Signature calculated past end of the block\n"));
+      return VBOOT_KEY_BLOCK_INVALID;
+    }
     rv = VerifyData((const uint8_t*)block, sig, rsa);
     RSAPublicKeyFree(rsa);
     if (rv)
       return VBOOT_KEY_BLOCK_SIGNATURE;
-
   } else {
     /* Check hash */
     uint8_t* header_checksum = NULL;
@@ -269,6 +274,13 @@ int VerifyFirmwarePreamble2(const VbFirmwarePreambleHeader* preamble,
     VBDEBUG(("Preamble signature off end of preamble\n"));
     return VBOOT_PREAMBLE_INVALID;
   }
+
+  /* Make sure advertised signature data sizes are sane. */
+  if (preamble->preamble_size < sig->data_size) {
+    VBDEBUG(("Signature calculated past end of the block\n"));
+    return VBOOT_PREAMBLE_INVALID;
+  }
+
   if (VerifyData((const uint8_t*)preamble, sig, key)) {
     VBDEBUG(("Preamble signature validation failed\n"));
     return VBOOT_PREAMBLE_SIGNATURE;
diff --git a/firmware/version.c b/firmware/version.c
index 1ae829bbf5..b6ddebf0c1 100644
--- a/firmware/version.c
+++ b/firmware/version.c
@@ -1 +1 @@
-char* VbootVersion = "VBOOv=3b14b77c";
+char* VbootVersion = "VBOOv=75ccdf11";