diff --git a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.cpp b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.cpp
index 72493d85..2c6e6b52 100644
--- a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.cpp
+++ b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.cpp
@@ -215,6 +215,13 @@ OEMCryptoResult CryptoEngine::SetDestination(
     default:
       return OEMCrypto_ERROR_INVALID_CONTEXT;
   }
+  size_t max_allowed = max_output_size();
+  if (max_allowed > 0 &&
+      (max_allowed < max_length || max_allowed < data_length)) {
+    LOGE("Output too large (or buffer too small).");
+    return OEMCrypto_ERROR_OUTPUT_TOO_LARGE;
+  }
+
   if (out_description->type != OEMCrypto_BufferType_Direct &&
       max_length < data_length) {
     LOGE("[SetDestination(): OEMCrypto_ERROR_SHORT_BUFFER]");
diff --git a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.h b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.h
index 32ab9eb6..6ad5cd2f 100644
--- a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.h
+++ b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.h
@@ -150,6 +150,11 @@ class CryptoEngine {
   // This is the same as the max subsample size, not the sample or frame size.
   virtual size_t max_buffer_size() { return 1024 * 100; }  // 100 KiB.
 
+  // If 0 no restriction, otherwise it's the max output buffer for DecryptCENC
+  // and CopyBuffer. This is the same as the max frame or sample size, not the
+  // subsample size.
+  virtual size_t max_output_size() { return 0; }
+
   virtual bool srm_update_supported() { return false; }
 
   virtual OEMCryptoResult current_srm_version(uint16_t* version) {