diff --git a/src/os_io_seproxyhal.c b/src/os_io_seproxyhal.c
index a75070c5c..9c2a12847 100644
--- a/src/os_io_seproxyhal.c
+++ b/src/os_io_seproxyhal.c
@@ -246,10 +246,13 @@ void io_seproxyhal_handle_capdu_event(void)
 #ifdef HAVE_NFC
 void io_seproxyhal_handle_nfc_recv_event(void)
 {
+    size_t max  = MIN(sizeof(G_io_apdu_buffer), sizeof(G_io_seproxyhal_spi_buffer) - 3);
+    size_t size = U2BE(G_io_seproxyhal_spi_buffer, 1);
+
     G_io_app.apdu_media  = IO_APDU_MEDIA_NFC;
     G_io_app.apdu_state  = APDU_NFC;
-    G_io_app.apdu_length = ((G_io_seproxyhal_spi_buffer[1] << 8) & 0xFF00)
-                           | (G_io_seproxyhal_spi_buffer[2] & 0x00FF);
+    G_io_app.apdu_length = MIN(size, max);
+
     memcpy(G_io_apdu_buffer, &G_io_seproxyhal_spi_buffer[3], G_io_app.apdu_length);
 }
 #endif
@@ -1002,7 +1005,7 @@ void io_seproxyhal_setup_ticker(unsigned int interval_ms)
     buffer[1] = 0;
     buffer[2] = 2;
     buffer[3] = (interval_ms >> 8) & 0xff;
-    buffer[4] = (interval_ms) &0xff;
+    buffer[4] = (interval_ms) & 0xff;
     io_seproxyhal_spi_send(buffer, 5);
 }
 
@@ -1553,7 +1556,7 @@ unsigned short io_exchange(unsigned char channel, unsigned short tx_len)
                         && os_global_pin_is_validated() != BOLOS_TRUE) {
                         tx_len                       = 0;
                         G_io_apdu_buffer[(tx_len)++] = (SWO_SEC_PIN_15 >> 8) & 0xFF;
-                        G_io_apdu_buffer[(tx_len)++] = (SWO_SEC_PIN_15) &0xFF;
+                        G_io_apdu_buffer[(tx_len)++] = (SWO_SEC_PIN_15) & 0xFF;
                         channel &= ~IO_FLAGS;
                         goto reply_apdu;
                     }