diff --git a/dlls/rpcrt4/ndr_ole.c b/dlls/rpcrt4/ndr_ole.c
index 71690ac8d5e..baa3f07338a 100644
--- a/dlls/rpcrt4/ndr_ole.c
+++ b/dlls/rpcrt4/ndr_ole.c
@@ -126,13 +126,18 @@ static HRESULT WINAPI RpcStream_Read(LPSTREAM iface,
                                     ULONG *pcbRead)
 {
   RpcStreamImpl *This = (RpcStreamImpl *)iface;
-  if (This->pos + cb > *This->size) cb = *This->size - This->pos;
+  HRESULT hr = S_OK;
+  if (This->pos + cb > *This->size)
+  {
+    cb = *This->size - This->pos;
+    hr = S_FALSE;
+  }
   if (cb) {
     memcpy(pv, This->data + This->pos, cb);
     This->pos += cb;
   }
   if (pcbRead) *pcbRead = cb;
-  return S_OK;
+  return hr;
 }
 
 static HRESULT WINAPI RpcStream_Write(LPSTREAM iface,
@@ -141,6 +146,8 @@ static HRESULT WINAPI RpcStream_Write(LPSTREAM iface,
                                      ULONG *pcbWritten)
 {
   RpcStreamImpl *This = (RpcStreamImpl *)iface;
+  if (This->data + cb > (char *)This->pMsg->BufferEnd)
+    return STG_E_MEDIUMFULL;
   memcpy(This->data + This->pos, pv, cb);
   This->pos += cb;
   if (This->pos > *This->size) *This->size = This->pos;
@@ -247,11 +254,15 @@ unsigned char * WINAPI NdrInterfacePointerMarshall(PMIDL_STUB_MESSAGE pStubMsg,
   TRACE("(%p,%p,%p)\n", pStubMsg, pMemory, pFormat);
   pStubMsg->MaxCount = 0;
   if (!LoadCOM()) return NULL;
-  stream = RpcStream_Create(pStubMsg, TRUE);
-  hr = COM_MarshalInterface(stream, riid, (LPUNKNOWN)pMemory,
-                           pStubMsg->dwDestContext, pStubMsg->pvDestContext,
-                           MSHLFLAGS_NORMAL);
-  IStream_Release(stream);
+  if (pStubMsg->Buffer + sizeof(DWORD) < pStubMsg->BufferEnd) {
+    stream = RpcStream_Create(pStubMsg, TRUE);
+    if (stream) {
+      hr = COM_MarshalInterface(stream, riid, (LPUNKNOWN)pMemory,
+                                pStubMsg->dwDestContext, pStubMsg->pvDestContext,
+                                MSHLFLAGS_NORMAL);
+      IStream_Release(stream);
+    }
+  }
   return NULL;
 }
 
@@ -269,9 +280,13 @@ unsigned char * WINAPI NdrInterfacePointerUnmarshall(PMIDL_STUB_MESSAGE pStubMsg
   TRACE("(%p,%p,%p,%d)\n", pStubMsg, ppMemory, pFormat, fMustAlloc);
   if (!LoadCOM()) return NULL;
   *(LPVOID*)ppMemory = NULL;
-  stream = RpcStream_Create(pStubMsg, FALSE);
-  hr = COM_UnmarshalInterface(stream, &IID_NULL, (LPVOID*)ppMemory);
-  IStream_Release(stream);
+  if (pStubMsg->Buffer + sizeof(DWORD) < pStubMsg->BufferEnd) {
+    stream = RpcStream_Create(pStubMsg, FALSE);
+    if (stream) {
+      hr = COM_UnmarshalInterface(stream, &IID_NULL, (LPVOID*)ppMemory);
+      IStream_Release(stream);
+    }
+  }
   return NULL;
 }
 
@@ -292,7 +307,7 @@ void WINAPI NdrInterfacePointerBufferSize(PMIDL_STUB_MESSAGE pStubMsg,
                             pStubMsg->dwDestContext, pStubMsg->pvDestContext,
                             MSHLFLAGS_NORMAL);
   TRACE("size=%ld\n", size);
-  pStubMsg->BufferLength += sizeof(DWORD) + size;
+  if (size) pStubMsg->BufferLength += sizeof(DWORD) + size;
 }
 
 /***********************************************************************