diff --git a/sdk/helper/kdf/kdf.go b/sdk/helper/kdf/kdf.go
index 22e9f67bc4..d1c73b9f46 100644
--- a/sdk/helper/kdf/kdf.go
+++ b/sdk/helper/kdf/kdf.go
@@ -9,6 +9,7 @@ import (
 	"crypto/sha256"
 	"encoding/binary"
 	"fmt"
+	"math"
 )
 
 // PRF is a pseudo-random function that takes a key or seed,
@@ -37,6 +38,10 @@ func CounterMode(prf PRF, prfLen uint32, key []byte, context []byte, bits uint32
 		rounds++
 	}
 
+	if len(context) > math.MaxInt - 8 {
+		return nil, fmt.Errorf("too much context specified; would overflow: %d bytes", len(context))
+	}
+
 	// Allocate and setup the input
 	input := make([]byte, 4+len(context)+4)
 	copy(input[4:], context)