diff --git a/src/decoder/mod.rs b/src/decoder/mod.rs
index 9fd19b98..ffb47404 100644
--- a/src/decoder/mod.rs
+++ b/src/decoder/mod.rs
@@ -42,6 +42,10 @@ use serde::de::Deserialize;
 fn read_string<R: Read + ?Sized>(reader: &mut R, utf8_lossy: bool) -> DecoderResult<String> {
     let len = reader.read_i32::<LittleEndian>()?;
 
+    if len < 0 {
+        return Err(DecoderError::InvalidLength(0, "invalid length for UTF-8 string".to_owned()));
+    }
+
     let s = if utf8_lossy {
         let mut buf = Vec::with_capacity(len as usize - 1);
         reader.take(len as u64 - 1).read_to_end(&mut buf)?;