diff --git a/src/sign-verify/clu_sign.c b/src/sign-verify/clu_sign.c
index 9f82e34e..cfebc878 100644
--- a/src/sign-verify/clu_sign.c
+++ b/src/sign-verify/clu_sign.c
@@ -99,6 +99,7 @@ int wolfCLU_sign_data(char* in, char* out, char* privKey, int keyType,
 {
     int ret;
     int fSz;
+    long fTell;
     XFILE f;
     byte *data = NULL;
 
@@ -107,8 +108,18 @@ int wolfCLU_sign_data(char* in, char* out, char* privKey, int keyType,
         wolfCLU_LogError("unable to open file %s", in);
         return BAD_FUNC_ARG;
     }
-    XFSEEK(f, 0, SEEK_END);
-    fSz = (int)XFTELL(f);
+    if (XFSEEK(f, 0, SEEK_END) != 0) {
+        wolfCLU_LogError("Failed to seek to end of file.");
+        XFCLOSE(f);
+        return WOLFCLU_FATAL_ERROR;
+    }
+    fTell = XFTELL(f);
+    if (fTell <= 0 || fTell > INT_MAX) {
+        wolfCLU_LogError("Incorrect input file size: %ld", fTell);
+        XFCLOSE(f);
+        return WOLFCLU_FATAL_ERROR;
+    }
+    fSz = (int)fTell;
 
     data = (byte*)XMALLOC(fSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     if (data == NULL) {
diff --git a/tests/genkey_sign_ver/genkey-sign-ver-test.py b/tests/genkey_sign_ver/genkey-sign-ver-test.py
index de424482..9e9d3c29 100644
--- a/tests/genkey_sign_ver/genkey-sign-ver-test.py
+++ b/tests/genkey_sign_ver/genkey-sign-ver-test.py
@@ -212,6 +212,24 @@ def test_ecc_sign_invalid_key_fails(self):
         self.assertNotEqual(r.returncode, 0,
                             "ECC signing with empty key should have failed")
 
+    def test_ecc_sign_empty_input_fails(self):
+        """Signing a 0-byte input file must fail gracefully (regression for
+        the XFSEEK/XFTELL size guards in wolfCLU_sign_data)."""
+        priv, _ = self._genkey("ecc", "ecc-empty-in", "der",
+                               use_output_flag=True)
+        empty_in = "empty-input.txt"
+        empty_sig = "empty-input.sig"
+        self._track(empty_in, empty_sig)
+        open(empty_in, "wb").close()
+
+        r = run_wolfssl("-ecc", "-sign", "-inkey", priv, "-inform", "der",
+                        "-in", empty_in, "-out", empty_sig)
+        self.assertNotEqual(r.returncode, 0,
+                            "ECC signing of empty input should have failed")
+        self.assertGreaterEqual(r.returncode, 0,
+                                "ECC sign of empty input crashed with signal "
+                                "{}".format(r.returncode))
+
     def test_ecc_sign_missing_inkey_value(self):
         """-inkey with no value must fail gracefully (no segfault)."""
         r = run_wolfssl("-ecc", "-sign", "-inkey")