diff --git a/dlls/hidclass.sys/device.c b/dlls/hidclass.sys/device.c
index 73ea6610ab8..82366ad1888 100644
--- a/dlls/hidclass.sys/device.c
+++ b/dlls/hidclass.sys/device.c
@@ -345,6 +345,12 @@ static NTSTATUS HID_get_feature(BASE_DEVICE_EXTENSION *ext, IRP *irp)
     out_buffer = MmGetSystemAddressForMdlSafe(irp->MdlAddress, NormalPagePriority);
     TRACE_(hid_report)("Device %p Buffer length %i Buffer %p\n", ext, irpsp->Parameters.DeviceIoControl.OutputBufferLength, out_buffer);
 
+    if (!irpsp->Parameters.DeviceIoControl.OutputBufferLength || !out_buffer)
+    {
+        irp->IoStatus.Status = STATUS_BUFFER_TOO_SMALL;
+        return rc;
+    }
+
     len = sizeof(*packet) + irpsp->Parameters.DeviceIoControl.OutputBufferLength;
     packet = malloc(len);
     packet->reportBufferLen = irpsp->Parameters.DeviceIoControl.OutputBufferLength;
@@ -495,6 +501,12 @@ NTSTATUS WINAPI pdo_ioctl(DEVICE_OBJECT *device, IRP *irp)
             BYTE *buffer = MmGetSystemAddressForMdlSafe(irp->MdlAddress, NormalPagePriority);
             ULONG out_length;
 
+            if (!irpsp->Parameters.DeviceIoControl.OutputBufferLength || !buffer)
+            {
+                irp->IoStatus.Status = STATUS_BUFFER_TOO_SMALL;
+                break;
+            }
+
             packet = malloc(packet_size);
 
             if (ext->u.pdo.preparsed_data->reports[0].reportID)