diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index bcbaa4d6a0ff58f7f227bc3fe77dfdc01f007eca..0edf85255043c4a3d9a36a33e3665e7de18e8a4d 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3532,6 +3532,7 @@ static void binder_transaction(struct binder_proc *proc,
 		 */
 		copy_size = object_offset - user_offset;
 		if (copy_size && (user_offset > object_offset ||
+				object_offset > tr->data_size ||
 				binder_alloc_copy_user_to_buffer(
 					&target_proc->alloc,
 					t->buffer, user_offset,