diff --git a/src/stream/raw.rs b/src/stream/raw.rs
index ee1d292a..65a6d06c 100644
--- a/src/stream/raw.rs
+++ b/src/stream/raw.rs
@@ -96,10 +96,11 @@ impl Operation for NoOp {
         // Skip the prelude
         let src = &input.src[input.pos..];
         // Safe because `output.pos() <= output.dst.capacity()`.
-        let dst = unsafe { output.dst.as_mut_ptr().add(output.pos()) };
+        let output_pos = output.pos();
+        let dst = unsafe { output.dst.as_mut_ptr().add(output_pos) };
 
         // Ignore anything past the end
-        let len = usize::min(src.len(), output.dst.capacity());
+        let len = usize::min(src.len(), output.dst.capacity() - output_pos);
         let src = &src[..len];
 
         // Safe because:
@@ -107,7 +108,7 @@ impl Operation for NoOp {
         // * `src` and `dst` do not overlap because we have `&mut` to each.
         unsafe { std::ptr::copy_nonoverlapping(src.as_ptr(), dst, len) };
         input.set_pos(input.pos() + len);
-        unsafe { output.set_pos(output.pos() + len) };
+        unsafe { output.set_pos(output_pos + len) };
 
         Ok(0)
     }
diff --git a/zstd-safe/src/lib.rs b/zstd-safe/src/lib.rs
index 51564bdd..1c555674 100644
--- a/zstd-safe/src/lib.rs
+++ b/zstd-safe/src/lib.rs
@@ -1718,6 +1718,7 @@ impl<'a, C: WriteBuf + ?Sized> OutBuffer<'a, C> {
 
     /// Returns the current cursor position.
     pub fn pos(&self) -> usize {
+        assert!(self.pos <= self.dst.capacity());
         self.pos
     }