diff --git a/sdk/program/src/hash.rs b/sdk/program/src/hash.rs
index 3677fe3745..36b4d28de3 100644
--- a/sdk/program/src/hash.rs
+++ b/sdk/program/src/hash.rs
@@ -6,6 +6,8 @@ use std::{convert::TryFrom, fmt, mem, str::FromStr};
 use thiserror::Error;
 
 pub const HASH_BYTES: usize = 32;
+/// Maximum string length of a base58 encoded hash
+const MAX_BASE58_LEN: usize = 44;
 #[derive(
     Serialize, Deserialize, Clone, Copy, Default, Eq, PartialEq, Ord, PartialOrd, Hash, AbiExample,
 )]
@@ -65,6 +67,9 @@ impl FromStr for Hash {
     type Err = ParseHashError;
 
     fn from_str(s: &str) -> Result<Self, Self::Err> {
+        if s.len() > MAX_BASE58_LEN {
+            return Err(ParseHashError::WrongSize);
+        }
         let bytes = bs58::decode(s)
             .into_vec()
             .map_err(|_| ParseHashError::Invalid)?;
@@ -173,6 +178,14 @@ mod tests {
             Err(ParseHashError::WrongSize)
         );
 
+        let mut input_too_big = bs58::encode(&[255u8; HASH_BYTES]).into_string();
+        input_too_big.push('1');
+        assert!(input_too_big.len() > MAX_BASE58_LEN);
+        assert_eq!(
+            input_too_big.parse::<Hash>(),
+            Err(ParseHashError::WrongSize)
+        );
+
         let mut hash_base58_str = bs58::encode(hash.0).into_string();
         assert_eq!(hash_base58_str.parse::<Hash>(), Ok(hash));