diff --git a/dlls/wintrust/softpub.c b/dlls/wintrust/softpub.c
index 9c79fa8bcd..7f5f86f5a5 100644
--- a/dlls/wintrust/softpub.c
+++ b/dlls/wintrust/softpub.c
@@ -256,7 +256,8 @@ static BOOL SOFTPUB_LoadCertMessage(CRYPT_PROVIDER_DATA *data)
     BOOL ret;
 
     if (data->pWintrustData->u.pCert &&
-     data->pWintrustData->u.pCert->cbStruct == sizeof(WINTRUST_CERT_INFO))
+     WVT_IS_CBSTRUCT_GT_MEMBEROFFSET(WINTRUST_CERT_INFO,
+     data->pWintrustData->u.pCert->cbStruct, psCertContext))
     {
         if (data->psPfns)
         {
@@ -266,7 +267,9 @@ static BOOL SOFTPUB_LoadCertMessage(CRYPT_PROVIDER_DATA *data)
             /* Add a signer with nothing but the time to verify, so we can
              * add a cert to it
              */
-            if (data->pWintrustData->u.pCert->psftVerifyAsOf)
+            if (WVT_ISINSTRUCT(WINTRUST_CERT_INFO,
+             data->pWintrustData->u.pCert->cbStruct, psftVerifyAsOf) &&
+             data->pWintrustData->u.pCert->psftVerifyAsOf)
                 data->sftSystemTime = signer.sftVerifyAsOf;
             else
             {
@@ -280,10 +283,12 @@ static BOOL SOFTPUB_LoadCertMessage(CRYPT_PROVIDER_DATA *data)
             {
                 ret = data->psPfns->pfnAddCert2Chain(data, 0, FALSE, 0,
                  data->pWintrustData->u.pCert->psCertContext);
-                for (i = 0; ret && i < data->pWintrustData->u.pCert->chStores;
-                 i++)
-                    ret = data->psPfns->pfnAddStore2Chain(data,
-                     data->pWintrustData->u.pCert->pahStores[i]);
+                if (WVT_ISINSTRUCT(WINTRUST_CERT_INFO,
+                 data->pWintrustData->u.pCert->cbStruct, pahStores))
+                        for (i = 0;
+                         ret && i < data->pWintrustData->u.pCert->chStores; i++)
+                            ret = data->psPfns->pfnAddStore2Chain(data,
+                             data->pWintrustData->u.pCert->pahStores[i]);
             }
         }
         else