diff --git a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c
index 598b7f110c..dff39cb13f 100644
--- a/src/libsystemd/sd-bus/bus-internal.c
+++ b/src/libsystemd/sd-bus/bus-internal.c
@@ -97,7 +97,7 @@ bool interface_name_is_valid(const char *p) {
                         dot = false;
                 }
 
-        if (q - p > 255)
+        if (q - p > SD_BUS_MAXIMUM_NAME_LENGTH)
                 return false;
 
         if (dot)
@@ -139,7 +139,7 @@ bool service_name_is_valid(const char *p) {
                         dot = false;
                 }
 
-        if (q - p > 255)
+        if (q - p > SD_BUS_MAXIMUM_NAME_LENGTH)
                 return false;
 
         if (dot)
@@ -170,7 +170,7 @@ bool member_name_is_valid(const char *p) {
                         return false;
         }
 
-        if (q - p > 255)
+        if (q - p > SD_BUS_MAXIMUM_NAME_LENGTH)
                 return false;
 
         return true;
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
index 11c4648f91..427d42f296 100644
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -284,7 +284,7 @@ static int message_append_field_signature(
         /* dbus1 doesn't allow signatures over 8bit, let's enforce
          * this globally, to not risk convertability */
         l = strlen(s);
-        if (l > 255)
+        if (l > SD_BUS_MAXIMUM_SIGNATURE_LENGTH)
                 return -EINVAL;
 
         /* Signature "(yv)" where the variant contains "g" */
@@ -5152,7 +5152,7 @@ int bus_message_parse_fields(sd_bus_message *m) {
                                 return -EBADMSG;
 
                         if (*p == 0) {
-                                char *k;
+                                _cleanup_free_ char *k = NULL;
                                 size_t l;
 
                                 /* We found the beginning of the signature
@@ -5170,6 +5170,9 @@ int bus_message_parse_fields(sd_bus_message *m) {
                                 if (!k)
                                         return -ENOMEM;
 
+                                if (!signature_is_valid(k, true))
+                                        return -EBADMSG;
+
                                 free_and_replace(m->root_container.signature, k);
                                 break;
                         }
diff --git a/src/libsystemd/sd-bus/bus-signature.c b/src/libsystemd/sd-bus/bus-signature.c
index 1ecd6e8b7e..b420ba3688 100644
--- a/src/libsystemd/sd-bus/bus-signature.c
+++ b/src/libsystemd/sd-bus/bus-signature.c
@@ -144,5 +144,5 @@ bool signature_is_valid(const char *s, bool allow_dict_entry) {
                 p += t;
         }
 
-        return p - s <= 255;
+        return p - s <= SD_BUS_MAXIMUM_SIGNATURE_LENGTH;
 }
diff --git a/src/systemd/sd-bus.h b/src/systemd/sd-bus.h
index 129cc93328..84ceb62dc7 100644
--- a/src/systemd/sd-bus.h
+++ b/src/systemd/sd-bus.h
@@ -33,6 +33,12 @@ _SD_BEGIN_DECLARATIONS;
 #define SD_BUS_DEFAULT_USER ((sd_bus *) 2)
 #define SD_BUS_DEFAULT_SYSTEM ((sd_bus *) 3)
 
+/* https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-marshaling-signature */
+#define SD_BUS_MAXIMUM_SIGNATURE_LENGTH 255
+
+/* https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-names */
+#define SD_BUS_MAXIMUM_NAME_LENGTH 255
+
 /* Types */
 
 typedef struct sd_bus sd_bus;
diff --git a/test/fuzz/fuzz-bus-message/oss-fuzz-14016 b/test/fuzz/fuzz-bus-message/oss-fuzz-14016
new file mode 100644
index 0000000000..c82d1ba4ad
Binary files /dev/null and b/test/fuzz/fuzz-bus-message/oss-fuzz-14016 differ