diff --git a/ChangeLog b/ChangeLog
index 661d4d2e8..269a841e7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2013-11-12  Vladimir Serbinenko  <phcoder@gmail.com>
+
+	* grub-core/lib/crypto.c (grub_crypto_cbc_decrypt): Remove variable
+	length arrays.
+
 2013-11-12  Vladimir Serbinenko  <phcoder@gmail.com>
 
 	* grub-core/disk/AFSplitter.c: Remove variable length arrays.
diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
index 4d360aa67..e31afb745 100644
--- a/grub-core/lib/crypto.c
+++ b/grub-core/lib/crypto.c
@@ -261,11 +261,13 @@ grub_crypto_cbc_decrypt (grub_crypto_cipher_handle_t cipher,
 {
   const grub_uint8_t *inptr;
   grub_uint8_t *outptr, *end;
-  grub_uint8_t ivt[cipher->cipher->blocksize];
+  grub_uint8_t ivt[GRUB_CRYPTO_MAX_CIPHER_BLOCKSIZE];
   if (!cipher->cipher->decrypt)
     return GPG_ERR_NOT_SUPPORTED;
   if (size % cipher->cipher->blocksize != 0)
     return GPG_ERR_INV_ARG;
+  if (cipher->cipher->blocksize > GRUB_CRYPTO_MAX_CIPHER_BLOCKSIZE)
+    return GPG_ERR_INV_ARG;
   end = (grub_uint8_t *) in + size;
   for (inptr = in, outptr = out; inptr < end;
        inptr += cipher->cipher->blocksize, outptr += cipher->cipher->blocksize)