diff --git a/src/main/java/com/amazonaws/encryptionsdk/internal/FrameDecryptionHandler.java b/src/main/java/com/amazonaws/encryptionsdk/internal/FrameDecryptionHandler.java
index 82d9cab76..2cfd14a1a 100644
--- a/src/main/java/com/amazonaws/encryptionsdk/internal/FrameDecryptionHandler.java
+++ b/src/main/java/com/amazonaws/encryptionsdk/internal/FrameDecryptionHandler.java
@@ -133,6 +133,11 @@ public ProcessingSummary processBytes(final byte[] in, final int off, final int
                 int protectedContentLen = -1;
                 if (currentFrameHeaders_.isFinalFrame()) {
                     protectedContentLen = currentFrameHeaders_.getFrameContentLength();
+
+                    // The final frame should not be able to exceed the frameLength
+                    if (frameSize_ > 0 && protectedContentLen > frameSize_) {
+                        throw new BadCiphertextException("Final frame length exceeds frame length.");
+                    }
                 } else {
                     protectedContentLen = frameSize_;
                 }
diff --git a/src/main/java/com/amazonaws/encryptionsdk/model/CiphertextHeaders.java b/src/main/java/com/amazonaws/encryptionsdk/model/CiphertextHeaders.java
index 5e3b90886..aca71665b 100644
--- a/src/main/java/com/amazonaws/encryptionsdk/model/CiphertextHeaders.java
+++ b/src/main/java/com/amazonaws/encryptionsdk/model/CiphertextHeaders.java
@@ -859,4 +859,4 @@ public void setHeaderNonce(final byte[] headerNonce) {
     public void setHeaderTag(final byte[] headerTag) {
         headerTag_ = headerTag.clone();
     }
-}
\ No newline at end of file
+}
diff --git a/src/test/java/com/amazonaws/encryptionsdk/internal/FrameDecryptionHandlerTest.java b/src/test/java/com/amazonaws/encryptionsdk/internal/FrameDecryptionHandlerTest.java
index 40554f72d..9f0a637e9 100644
--- a/src/test/java/com/amazonaws/encryptionsdk/internal/FrameDecryptionHandlerTest.java
+++ b/src/test/java/com/amazonaws/encryptionsdk/internal/FrameDecryptionHandlerTest.java
@@ -15,11 +15,14 @@
 
 import static org.junit.Assert.assertTrue;
 
+import java.nio.ByteBuffer;
 import java.security.SecureRandom;
 
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
 
+import com.amazonaws.encryptionsdk.TestUtils;
+import com.amazonaws.encryptionsdk.exception.BadCiphertextException;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -72,4 +75,18 @@ public void decryptMaxContentLength() {
         frameDecryptionHandler_.processBytes(in, 0, in.length, out, 0);
         frameDecryptionHandler_.processBytes(in, 0, Integer.MAX_VALUE, out, 0);
     }
-}
\ No newline at end of file
+
+    @Test(expected = BadCiphertextException.class)
+    public void finalFrameLengthTooLarge() {
+
+        final ByteBuffer byteBuffer = ByteBuffer.allocate(25);
+        byteBuffer.put(TestUtils.unsignedBytesToSignedBytes(
+                new int[] {255, 255, 255, 255, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}));
+        byteBuffer.putInt(AwsCrypto.getDefaultFrameSize() + 1);
+
+        final byte[] in = byteBuffer.array();
+        final byte[] out = new byte[in.length];
+
+        frameDecryptionHandler_.processBytes(in, 0, in.length, out, 0);
+    }
+}