diff --git a/lib/elliptic.js b/lib/elliptic.js
index ed37fdf..bd48ec1 100644
--- a/lib/elliptic.js
+++ b/lib/elliptic.js
@@ -47,12 +47,12 @@ function loadPublicKey (pubkey) {
   switch (first) {
     case 0x02:
     case 0x03:
-      // if (pubkey.length !== 33) return null
+      if (pubkey.length !== 33) return null
       return loadCompressedPublicKey(first, pubkey.subarray(1, 33))
     case 0x04:
     case 0x06:
     case 0x07:
-      // if (pubkey.length !== 65) return null
+      if (pubkey.length !== 65) return null
       return loadUncompressedPublicKey(first, pubkey.subarray(1, 33), pubkey.subarray(33, 65))
     default:
       return null
diff --git a/test/publickey.js b/test/publickey.js
index 463c424..e8f3cec 100644
--- a/test/publickey.js
+++ b/test/publickey.js
@@ -28,6 +28,10 @@ module.exports = (t, secp256k1) => {
       invalidY[64] ^= 0x01
       t.false(secp256k1.publicKeyVerify(invalidY), 'invalid Y')
 
+      const invalidLength = Buffer.from(publicKey.uncompressed)
+      invalidLength[0] = publicKey.compressed[0]
+      t.false(secp256k1.publicKeyVerify(invalidLength), 'invalid length')
+
       t.end()
     })