diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h
index 9294d29bb2..a5f09a4f45 100644
--- a/include/mbedtls/psa_util.h
+++ b/include/mbedtls/psa_util.h
@@ -188,7 +188,7 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa
  *
  * \param       bits        Size of each coordinate in bits.
  * \param       raw         Buffer that contains the signature in raw format.
- * \param       raw_len     Length of \p raw in bytes. This must be at least
+ * \param       raw_len     Length of \p raw in bytes. This must be
  *                          PSA_BITS_TO_BYTES(bits) bytes.
  * \param[out]  der         Buffer that will be filled with the converted DER
  *                          output. It can overlap with raw buffer.
diff --git a/library/psa_util.c b/library/psa_util.c
index 7ce5eea030..674f21b9be 100644
--- a/library/psa_util.c
+++ b/library/psa_util.c
@@ -413,7 +413,7 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l
     unsigned char *p = der + der_size;
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
-    if (raw_len < 2 * coordinate_len) {
+    if ((raw_len < 2 * coordinate_len) || (raw_len > 2 * coordinate_len)) {
         return MBEDTLS_ERR_ASN1_INVALID_DATA;
     }
 
diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data
index eb205b905f..1d170297b4 100644
--- a/tests/suites/test_suite_psa_crypto_util.data
+++ b/tests/suites/test_suite_psa_crypto_util.data
@@ -42,6 +42,10 @@ ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte shorter)
 depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
 
+ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte longer)
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
+
 ECDSA DER -> Raw, 256bit, Success
 depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0