diff --git a/components/bt/host/bluedroid/stack/avct/avct_lcb_act.c b/components/bt/host/bluedroid/stack/avct/avct_lcb_act.c
index b83219dceb..98dbaed809 100644
--- a/components/bt/host/bluedroid/stack/avct/avct_lcb_act.c
+++ b/components/bt/host/bluedroid/stack/avct/avct_lcb_act.c
@@ -86,6 +86,11 @@ static BT_HDR *avct_lcb_msg_asmbl(tAVCT_LCB *p_lcb, BT_HDR *p_buf)
             AVCT_TRACE_WARNING("Got start during reassembly");
         }
         osi_free(p_lcb->p_rx_msg);
+        p_lcb->p_rx_msg = NULL;
+        if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
+            osi_free(p_buf);
+            return NULL;
+        }
         /* Allocate bigger buffer for reassembly. As lower layers are
          * not aware of possible packet size after reassembly they
          * would have allocated smaller buffer.
diff --git a/components/bt/host/bluedroid/stack/avdt/avdt_msg.c b/components/bt/host/bluedroid/stack/avdt/avdt_msg.c
index a049eee925..676c05a492 100644
--- a/components/bt/host/bluedroid/stack/avdt/avdt_msg.c
+++ b/components/bt/host/bluedroid/stack/avdt/avdt_msg.c
@@ -1314,6 +1314,10 @@ BT_HDR *avdt_msg_asmbl(tAVDT_CCB *p_ccb, BT_HDR *p_buf)
          * not aware of possible packet size after reassembly, they
          * would have allocated smaller buffer.
          */
+        if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
+            osi_free(p_buf);
+            return NULL;
+        }
         p_ccb->p_rx_msg = (BT_HDR *)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
         memcpy(p_ccb->p_rx_msg, p_buf,
                sizeof(BT_HDR) + p_buf->offset + p_buf->len);