diff --git a/channels/rail/client/rail_orders.c b/channels/rail/client/rail_orders.c
index 6b4e62051..c84d14260 100644
--- a/channels/rail/client/rail_orders.c
+++ b/channels/rail/client/rail_orders.c
@@ -151,9 +151,10 @@ static UINT rail_read_server_get_appid_resp_order(wStream* s,
 		return ERROR_INVALID_DATA;
 
 	Stream_Read_UINT32(s, getAppidResp->windowId); /* windowId (4 bytes) */
-	Stream_Read_UTF16_String(
-	    s, getAppidResp->applicationId,
-	    ARRAYSIZE(getAppidResp->applicationId)); /* applicationId (260 UNICODE chars) */
+	if (!Stream_Read_UTF16_String(
+	        s, getAppidResp->applicationId,
+	        ARRAYSIZE(getAppidResp->applicationId))) /* applicationId (260 UNICODE chars) */
+		return ERROR_INVALID_DATA;
 	return CHANNEL_RC_OK;
 }
 
diff --git a/channels/rail/server/rail_main.c b/channels/rail/server/rail_main.c
index 7a4b41bd0..b9208d0d3 100644
--- a/channels/rail/server/rail_main.c
+++ b/channels/rail/server/rail_main.c
@@ -235,9 +235,10 @@ static UINT rail_write_get_app_id_resp_order(wStream* s,
 		return ERROR_INVALID_PARAMETER;
 
 	Stream_Write_UINT32(s, getAppidResp->windowId); /* WindowId (4 bytes) */
-	Stream_Write_UTF16_String(
-	    s, getAppidResp->applicationId,
-	    ARRAYSIZE(getAppidResp->applicationId)); /* ApplicationId (512 bytes) */
+	if (!Stream_Write_UTF16_String(
+	        s, getAppidResp->applicationId,
+	        ARRAYSIZE(getAppidResp->applicationId))) /* ApplicationId (512 bytes) */
+		return ERROR_INVALID_DATA;
 	return ERROR_SUCCESS;
 }
 
@@ -253,13 +254,15 @@ static UINT rail_write_get_appid_resp_ex_order(wStream* s,
 		return ERROR_INVALID_PARAMETER;
 
 	Stream_Write_UINT32(s, getAppidRespEx->windowID); /* WindowId (4 bytes) */
-	Stream_Write_UTF16_String(
-	    s, getAppidRespEx->applicationID,
-	    ARRAYSIZE(getAppidRespEx->applicationID));     /* ApplicationId (520 bytes) */
+	if (!Stream_Write_UTF16_String(
+	        s, getAppidRespEx->applicationID,
+	        ARRAYSIZE(getAppidRespEx->applicationID))) /* ApplicationId (520 bytes) */
+		return ERROR_INVALID_DATA;
 	Stream_Write_UINT32(s, getAppidRespEx->processId); /* ProcessId (4 bytes) */
-	Stream_Write_UTF16_String(
-	    s, getAppidRespEx->processImageName,
-	    ARRAYSIZE(getAppidRespEx->processImageName)); /* ProcessImageName (520 bytes) */
+	if (!Stream_Write_UTF16_String(
+	        s, getAppidRespEx->processImageName,
+	        ARRAYSIZE(getAppidRespEx->processImageName))) /* ProcessImageName (520 bytes) */
+		return ERROR_INVALID_DATA;
 	return ERROR_SUCCESS;
 }
 
diff --git a/libfreerdp/core/gateway/rdg.c b/libfreerdp/core/gateway/rdg.c
index 67279f544..bdab4035b 100644
--- a/libfreerdp/core/gateway/rdg.c
+++ b/libfreerdp/core/gateway/rdg.c
@@ -514,7 +514,7 @@ static BOOL rdg_send_extauth_sspi(rdpRdg* rdg)
 static BOOL rdg_send_tunnel_request(rdpRdg* rdg)
 {
 	wStream* s = nullptr;
-	BOOL status = 0;
+	BOOL status = FALSE;
 	UINT32 packetSize = 16;
 	UINT16 fieldsPresent = 0;
 	WCHAR* PAACookie = nullptr;
@@ -529,10 +529,7 @@ static BOOL rdg_send_tunnel_request(rdpRdg* rdg)
 		    ConvertUtf8ToWCharAlloc(rdg->context->settings->GatewayAccessToken, &PAACookieLen);
 
 		if (!PAACookie || (PAACookieLen > UINT16_MAX / sizeof(WCHAR)))
-		{
-			free(PAACookie);
-			return FALSE;
-		}
+			goto fail;
 
 		PAACookieLen += 1; /* include \0 */
 		packetSize += 2 + (UINT32)(PAACookieLen) * sizeof(WCHAR);
@@ -542,10 +539,7 @@ static BOOL rdg_send_tunnel_request(rdpRdg* rdg)
 	s = Stream_New(nullptr, packetSize);
 
 	if (!s)
-	{
-		free(PAACookie);
-		return FALSE;
-	}
+		goto fail;
 
 	Stream_Write_UINT16(s, PKT_TYPE_TUNNEL_CREATE); /* Type (2 bytes) */
 	Stream_Write_UINT16(s, 0);                      /* Reserved (2 bytes) */
@@ -557,11 +551,14 @@ static BOOL rdg_send_tunnel_request(rdpRdg* rdg)
 	if (PAACookie)
 	{
 		Stream_Write_UINT16(s, (UINT16)PAACookieLen * sizeof(WCHAR)); /* PAA cookie string length */
-		Stream_Write_UTF16_String(s, PAACookie, PAACookieLen);
+		if (!Stream_Write_UTF16_String(s, PAACookie, PAACookieLen))
+			goto fail;
 	}
 
 	Stream_SealLength(s);
 	status = rdg_write_packet(rdg, s);
+
+fail:
 	Stream_Free(s, TRUE);
 	free(PAACookie);
 
@@ -576,7 +573,7 @@ static BOOL rdg_send_tunnel_request(rdpRdg* rdg)
 static BOOL rdg_send_tunnel_authorization(rdpRdg* rdg)
 {
 	wStream* s = nullptr;
-	BOOL status = 0;
+	BOOL status = FALSE;
 	WINPR_ASSERT(rdg);
 	size_t clientNameLen = 0;
 	WCHAR* clientName = freerdp_settings_get_string_as_utf16(
@@ -586,34 +583,29 @@ static BOOL rdg_send_tunnel_authorization(rdpRdg* rdg)
 
 	const size_t packetSize = 12ull + clientNameLen * sizeof(WCHAR);
 	if (!clientName || (clientNameLen >= UINT16_MAX / sizeof(WCHAR)) || (packetSize > UINT32_MAX))
-	{
-		free(clientName);
-		return FALSE;
-	}
+		goto fail;
 
 	s = Stream_New(nullptr, packetSize);
 
 	if (!s)
-	{
-		free(clientName);
-		return FALSE;
-	}
+		goto fail;
 
 	Stream_Write_UINT16(s, PKT_TYPE_TUNNEL_AUTH);                  /* Type (2 bytes) */
 	Stream_Write_UINT16(s, 0);                                     /* Reserved (2 bytes) */
 	Stream_Write_UINT32(s, (UINT32)packetSize);                    /* PacketLength (4 bytes) */
 	Stream_Write_UINT16(s, 0);                                     /* FieldsPresent (2 bytes) */
 	Stream_Write_UINT16(s, (UINT16)clientNameLen * sizeof(WCHAR)); /* Client name string length */
-	Stream_Write_UTF16_String(s, clientName, clientNameLen);
+	if (!Stream_Write_UTF16_String(s, clientName, clientNameLen))
+		goto fail;
 	Stream_SealLength(s);
 	status = rdg_write_packet(rdg, s);
+
+fail:
 	Stream_Free(s, TRUE);
 	free(clientName);
 
 	if (status)
-	{
 		rdg->state = RDG_CLIENT_STATE_TUNNEL_AUTHORIZE;
-	}
 
 	return status;
 }
@@ -648,7 +640,9 @@ static BOOL rdg_send_channel_create(rdpRdg* rdg)
 	                    (UINT16)rdg->context->settings->ServerPort); /* Resource port (2 bytes) */
 	Stream_Write_UINT16(s, 3);                                       /* Protocol number (2 bytes) */
 	Stream_Write_UINT16(s, (UINT16)serverNameLen * sizeof(WCHAR));
-	Stream_Write_UTF16_String(s, serverName, serverNameLen);
+	if (!Stream_Write_UTF16_String(s, serverName, serverNameLen))
+		goto fail;
+
 	Stream_SealLength(s);
 	status = rdg_write_packet(rdg, s);
 fail:
diff --git a/libfreerdp/core/gateway/tsg.c b/libfreerdp/core/gateway/tsg.c
index 5ec1b3f48..15012c90b 100644
--- a/libfreerdp/core/gateway/tsg.c
+++ b/libfreerdp/core/gateway/tsg.c
@@ -451,7 +451,8 @@ static BOOL tsg_ndr_write_string(WINPR_ATTR_UNUSED wLog* log, wStream* s, const
 	Stream_Write_UINT32(s, (UINT32)length);    /* MaxCount (4 bytes) */
 	Stream_Write_UINT32(s, 0);                 /* Offset (4 bytes) */
 	Stream_Write_UINT32(s, (UINT32)length);    /* ActualCount (4 bytes) */
-	Stream_Write_UTF16_String(s, str, length); /* Array */
+	if (!Stream_Write_UTF16_String(s, str, length)) /* Array */
+		return FALSE;
 	Stream_Zero(s, pad);
 	return TRUE;
 }
diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c
index 77b1c200f..327baae6a 100644
--- a/libfreerdp/core/orders.c
+++ b/libfreerdp/core/orders.c
@@ -2856,8 +2856,9 @@ static CACHE_GLYPH_ORDER* update_read_cache_glyph_order(rdpUpdate* update, wStre
 		                                            sizeof(WCHAR)))
 			goto fail;
 
-		Stream_Read_UTF16_String(s, cache_glyph_order->unicodeCharacters,
-		                         cache_glyph_order->cGlyphs);
+		if (!Stream_Read_UTF16_String(s, cache_glyph_order->unicodeCharacters,
+		                              cache_glyph_order->cGlyphs))
+			goto fail;
 	}
 
 	return cache_glyph_order;
@@ -2959,7 +2960,9 @@ static CACHE_GLYPH_V2_ORDER* update_read_cache_glyph_v2_order(rdpUpdate* update,
 		if (!Stream_CheckAndLogRequiredLengthOfSize(TAG, s, cache_glyph_v2->cGlyphs, sizeof(WCHAR)))
 			goto fail;
 
-		Stream_Read_UTF16_String(s, cache_glyph_v2->unicodeCharacters, cache_glyph_v2->cGlyphs);
+		if (!Stream_Read_UTF16_String(s, cache_glyph_v2->unicodeCharacters,
+		                              cache_glyph_v2->cGlyphs))
+			goto fail;
 	}
 
 	return cache_glyph_v2;
diff --git a/libfreerdp/utils/cliprdr_utils.c b/libfreerdp/utils/cliprdr_utils.c
index 6ce971d3e..8d20273ce 100644
--- a/libfreerdp/utils/cliprdr_utils.c
+++ b/libfreerdp/utils/cliprdr_utils.c
@@ -137,9 +137,8 @@ BOOL cliprdr_read_filedescriptor(wStream* s, FILEDESCRIPTORW* descriptor)
 	descriptor->ftLastWriteTime = uint64_to_filetime(tmp);
 	Stream_Read_UINT32(s, descriptor->nFileSizeHigh); /* fileSizeHigh (4 bytes) */
 	Stream_Read_UINT32(s, descriptor->nFileSizeLow);  /* fileSizeLow (4 bytes) */
-	Stream_Read_UTF16_String(s, descriptor->cFileName,
-	                         ARRAYSIZE(descriptor->cFileName)); /* cFileName (520 bytes) */
-	return TRUE;
+	return Stream_Read_UTF16_String(s, descriptor->cFileName,
+	                                ARRAYSIZE(descriptor->cFileName)); /* cFileName (520 bytes) */
 }
 
 BOOL cliprdr_write_filedescriptor(wStream* s, const FILEDESCRIPTORW* descriptor)
@@ -166,9 +165,8 @@ BOOL cliprdr_write_filedescriptor(wStream* s, const FILEDESCRIPTORW* descriptor)
 	    s, filetime_to_uint64(descriptor->ftLastWriteTime)); /* lastWriteTime (8 bytes) */
 	Stream_Write_UINT32(s, descriptor->nFileSizeHigh);       /* fileSizeHigh (4 bytes) */
 	Stream_Write_UINT32(s, descriptor->nFileSizeLow);        /* fileSizeLow (4 bytes) */
-	Stream_Write_UTF16_String(s, descriptor->cFileName,
-	                          ARRAYSIZE(descriptor->cFileName)); /* cFileName (520 bytes) */
-	return TRUE;
+	return Stream_Write_UTF16_String(s, descriptor->cFileName,
+	                                 ARRAYSIZE(descriptor->cFileName)); /* cFileName (520 bytes) */
 }
 
 /**