diff --git a/src/hash.h b/src/hash.h
index 0947a0969..7da677013 100644
--- a/src/hash.h
+++ b/src/hash.h
@@ -13,7 +13,7 @@
 typedef struct {
     uint32_t s[8];
     uint32_t buf[16]; /* In big endian */
-    size_t bytes;
+    uint64_t bytes;
 } secp256k1_sha256;
 
 static void secp256k1_sha256_initialize(secp256k1_sha256 *hash);
diff --git a/src/hash_impl.h b/src/hash_impl.h
index f8cd3a163..18342bb29 100644
--- a/src/hash_impl.h
+++ b/src/hash_impl.h
@@ -153,6 +153,8 @@ static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out
     uint32_t sizedesc[2];
     uint32_t out[8];
     int i = 0;
+    /* The maximum message size of SHA256 is 2^64-1 bits. */
+    VERIFY_CHECK(hash->bytes < ((uint64_t)1 << 61));
     sizedesc[0] = BE32(hash->bytes >> 29);
     sizedesc[1] = BE32(hash->bytes << 3);
     secp256k1_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64));