diff --git a/dlls/shlwapi/path.c b/dlls/shlwapi/path.c
index 5c7a88a86d8..a3b462c038c 100644
--- a/dlls/shlwapi/path.c
+++ b/dlls/shlwapi/path.c
@@ -3313,6 +3313,9 @@ HRESULT WINAPI PathCreateFromUrlW(LPCWSTR pszUrl, LPWSTR pszPath,
     if (!pszUrl || !pszPath || !pcchPath || !*pcchPath)
         return E_INVALIDARG;
 
+    if (lstrlenW(pszUrl) < 5)
+        return E_INVALIDARG;
+
     if (CompareStringW(LOCALE_INVARIANT, NORM_IGNORECASE, pszUrl, 5,
                        file_colon, 5) != CSTR_EQUAL)
         return E_INVALIDARG;
@@ -3354,9 +3357,8 @@ HRESULT WINAPI PathCreateFromUrlW(LPCWSTR pszUrl, LPWSTR pszPath,
             src -= 1;
         break;
     case 2:
-        if (CompareStringW(LOCALE_INVARIANT, NORM_IGNORECASE, src, 9,
-                           localhost, 9) == CSTR_EQUAL &&
-            (src[9] == '/' || src[9] == '\\'))
+        if (lstrlenW(src) >= 10 && CompareStringW(LOCALE_INVARIANT, NORM_IGNORECASE,
+            src, 9, localhost, 9) == CSTR_EQUAL && (src[9] == '/' || src[9] == '\\'))
         {
             /* 'file://localhost/' + escaped DOS path */
             src += 10;