diff --git a/epan/dissectors/packet-tls-utils.c b/epan/dissectors/packet-tls-utils.c
index d33392a906..d2d2d7fa57 100644
--- a/epan/dissectors/packet-tls-utils.c
+++ b/epan/dissectors/packet-tls-utils.c
@@ -10773,7 +10773,7 @@ ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, guin
         guint32 old_length = ssl_session->handshake_data.data_len;
         ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
         ssl_session->handshake_data.data = (guchar *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
-        if (tvb) {
+        if (tvb && tvb_bytes_exist(tvb, offset, length)) {
             tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
         } else {
             memset(ssl_session->handshake_data.data + old_length, 0, length);
diff --git a/epan/dissectors/packet-tls.c b/epan/dissectors/packet-tls.c
index cd2677dede..c2b630c0c7 100644
--- a/epan/dissectors/packet-tls.c
+++ b/epan/dissectors/packet-tls.c
@@ -1166,7 +1166,7 @@ decrypt_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, SslDecryp
     gboolean    success;
     gint        direction;
     StringInfo *data_for_iv;
-    gint        data_for_iv_len;
+    gint        data_for_iv_len, data_for_iv_offset;
     SslDecoder *decoder;
 
     /* if we can decrypt and decryption was a success
@@ -1188,7 +1188,12 @@ decrypt_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, SslDecryp
     /* save data to update IV if decoder is available or updated later */
     data_for_iv = (direction != 0) ? &ssl->server_data_for_iv : &ssl->client_data_for_iv;
     data_for_iv_len = (record_length < 24) ? record_length : 24;
-    ssl_data_set(data_for_iv, (const guchar*)tvb_get_ptr(tvb, offset + record_length - data_for_iv_len, data_for_iv_len), data_for_iv_len);
+    data_for_iv_offset = offset + record_length - data_for_iv_len;
+    if (!tvb_bytes_exist(tvb, data_for_iv_offset, data_for_iv_len)) {
+        ssl_debug_printf("decrypt_ssl3_record: record truncated\n");
+        return FALSE;
+    }
+    ssl_data_set(data_for_iv, (const guchar*)tvb_get_ptr(tvb, data_for_iv_offset, data_for_iv_len), data_for_iv_len);
 
     if (!decoder) {
         ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");