diff --git a/wolfcrypt/src/port/arm/armv8-aes.c b/wolfcrypt/src/port/arm/armv8-aes.c
index 9b46f2d8b..535239647 100644
--- a/wolfcrypt/src/port/arm/armv8-aes.c
+++ b/wolfcrypt/src/port/arm/armv8-aes.c
@@ -677,7 +677,8 @@ void wc_AesFree(Aes* aes)
     {
         word32 numBlocks = sz / AES_BLOCK_SIZE;
 
-        if (aes == NULL || out == NULL || (in == NULL && sz > 0)) {
+        if (aes == NULL || out == NULL || (in == NULL && sz > 0)
+                || sz % AES_BLOCK_SIZE != 0) {
             return BAD_FUNC_ARG;
         }
 
@@ -2545,8 +2546,8 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
         return BAD_FUNC_ARG;
     }
 
-    if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) {
-        WOLFSSL_MSG("GcmEncrypt authTagSz too small error");
+    if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ || authTagSz > AES_BLOCK_SIZE) {
+        WOLFSSL_MSG("GcmEncrypt authTagSz error");
         return BAD_FUNC_ARG;
     }
 
@@ -3269,7 +3270,8 @@ int  wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
     {
         word32 numBlocks = sz / AES_BLOCK_SIZE;
 
-        if (aes == NULL || out == NULL || (in == NULL && sz > 0)) {
+        if (aes == NULL || out == NULL || (in == NULL && sz > 0)
+                || sz % AES_BLOCK_SIZE != 0) {
             return BAD_FUNC_ARG;
         }
 
@@ -4193,6 +4195,11 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
         return BAD_FUNC_ARG;
     }
 
+    if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ || authTagSz > AES_BLOCK_SIZE) {
+        WOLFSSL_MSG("GcmEncrypt authTagSz error");
+        return BAD_FUNC_ARG;
+    }
+
     XMEMSET(initialCounter, 0, AES_BLOCK_SIZE);
     if (ivSz == NONCE_SZ) {
         XMEMCPY(initialCounter, iv, ivSz);